Introduction to Applied Algebraic Systems
This page intentionally left blank
Introduction to Applied Algebraic Syst...
149 downloads
951 Views
3MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
Introduction to Applied Algebraic Systems
This page intentionally left blank
Introduction to Applied Algebraic Systems
Norman R. Reilly
1 2009
3 Oxford University Press, Inc., publishes works that further Oxford University’s objective of excellence in research, scholarship, and education. Oxford New York Auckland Cape Town Dar es Salaam Hong Kong Karachi Kuala Lumpur Madrid Melbourne Mexico City Nairobi New Delhi Shanghai Taipei Toronto With offices in Argentina Austria Brazil Chile Czech Republic France Greece Guatemala Hungary Italy Japan Poland Portugal Singapore South Korea Switzerland Thailand Turkey Ukraine Vietnam
Copyright © 2009 by Oxford University Press, Inc. Published by Oxford University Press, Inc. 198 Madison Avenue, New York, New York 10016 www.oup.com Oxford is a registered trademark of Oxford University Press All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of Oxford University Press. Library of Congress Cataloging-in-Publication Data Reilly, Norman R. Introduction to applied algebraic systems / Norman R. Reilly. p. cm. ISBN: 978-0-19-536787-4 1. Algebra. I. Title. QA155.R3656 2008 512–dc22 2008017220
9 8 7 6 5 4 3 2 1 Printed in the United States of America on acid-free paper
Preface
In the last forty to fifty years, algebraic systems have played a critical role in the development of the computer and communication technology that surround us in our daily lives. This has made algebra much more relevant to the modern student. Algebra is no longer just a pretty subject with an interesting history, but a discipline that plays a critical role in modern commerce, communication and entertainment. Some traditional approaches to undergraduate algebra can easily leave a student with the impression that the development of algebra ended with the 19th century. It is the goal of this text to show that the subject is alive, vibrant, exciting, and more relevant to modern technology than it has ever been. This justifies a shift in the emphasis and selection of topics in any modern introduction to algebra. In the storage of data, whether in computers, on compact disks or dvd’s, it would be prohibitively expensive to try to develop error free systems. It is more cost effective to provide for the correction of a small number of errors or corruptions of the data. Likewise, in the communication of data, such as from satellites where signals may be weak and it might not be cost effective to constantly resend messages, it is again preferable to devise systems to correct small errors and small losses of data. These needs have led to the development of error correcting codes, codes which attempt to accept slightly faulty or corrupted data and correct it. At the forefront of these techniques are algebraic codes. Algebraic codes take advantage of the properties of finite fields. In another direction, the need for security in the transmission and storage of information has led to the the development of ever more advanced encryption schemes, schemes that must become ever more sophisticated as computing power grows exponentially year by year and
vi
Preface
techniques available to cryptanalysts also become more sophisticated. Some of the most widely used and most advanced of these encryption techniques, such as RSA encryption and elliptic curve encryption, are based on number theory, group theory and algebraic geometry. In this book, we provide an introduction to algebraic systems that keeps these modern applications of algebra in mind while providing a solid introduction to the basic algebraic structures of groups, rings, fields and algebraic geometry. In a nutshell, the goal of this text is to provide a strong introduction to algebraic systems motivated by modern applications, and to build a foundation in algebra appropriate for the exploration of modern developments. Sections are included on topics such as bar codes, RSA encryption, error correcting codes, Enigma encryption and elliptic curves and their applications. Through the sections devoted to applications, we provide a window into those applied areas and provide evidence of the critical importance of the basic concepts of abstract algebra to those applied areas. In the line of applications, we do not overlook some more established areas of application of algebraic systems and include sections on applications of groups to counting techniques. Mathematical software is playing an increasing role in both research and in undergraduate programs. In that direction, computational algebra is a rapidly growing field, and one of its most important tools is Groebner bases for ideals in polynomial rings. In large measure this is due to the fact that they can be efficiently computed with the help of the Buchberger algorithm. Apart from being computationally important, these notions are interesting in and of themselves and facilitate the development of the introductory theory of algebraic geometry. The book is divided into seven chapters. Chapter 1 provides a thorough introduction to number theory, which is the foundation of the subject and provides a model for much that follows. There are also sections illustrating applications of number theory to bar codes and encryption. Chapter 2 introduces rings, polynomials, fields, Galois fields, minimal polynomials and concludes with a section on Bose-Chauduri-Hocquenghem and ReedSolomon error correcting codes. The motivation for departing from the usual practice of introducing groups before rings and fields is the strong parallel that exists between the basic elements of number theory and the techniques used in the construction of field extensions; the Euclidean Algorithm, the factorization into irreducibles, the importance of the congruence modulo a prime compared with the congruence on the ring of polynomials over a field modulo an irreducible polynomial. All this makes it possible to approach field theory as a natural extension of basic number theory. Chapter 3 introduces groups with an emphasis on permutations and permutation groups. The definitions of even and odd permutations are introduced via permutation matrices, thereby avoiding the sometimes awkward verification that the concepts are well defined. The important ideas of orbits and stabilizers are explored followed by an introduction to the counting applications developed by Cauchy, Frobenius and Pólya. The notions of normal subgroups and
Preface
vii
homomorphisms are delayed until Chapter 4 for important pedagogical reasons. First there is a great deal of very interesting material that has no need of these concepts and, secondly, there is insufficient time in a one semester course that covers rings and fields as well as groups to demonstrate the importance of these ideas. The result can be that they are left dangling with no apparent utility. Chapter 4 then continues with the characterization of finite abelian groups, homomorphisms and normal subgroups, conjugacy (including the “theorem that won World War II”) and the striking Sylow theorems. The classes of nilpotent and solvable groups are also introduced. The chapter concludes with a description of the Enigma machine as an illustration of the potential sophistication that can be built around permutation ciphers. Polynomials and their zeros are at the very heart of algebra and are usefully investigated in the context of polynomial rings and affine spaces. Chapter 5 is devoted to the associated topics of ideals, affine varieties, Groebner bases, parameters and intersection multiplicities. Chapter 6 introduces elliptic curves. Elliptic curves are important in smart card encryption and prime factorization. Here, although space does not permit a complete treatment of some results such as Bézout’s theorem, sufficient detail is provided for a student to develop a good understanding of the basics. The details of the remarkable Nine-Point Theorem and the arithmetic on an elliptic curve are included. The final chapter, Chapter 7, contains a pot-pourri of topics that round off the discussion of previous chapters. The topics include elliptic curve cryptosystems, prime factorization using elliptic curves, the link between Fermat’s Last Theorem, and elliptic curves, and the chapter concludes with a discussion of Pell’s equation. What to teach in a course based on this text? An important feature of the text is its flexibility. Chapter 1 is suitable on its own as a short (12– 13 lectures) introduction to Number Theory for a general audience at the first or second year college level. Chapters 1, 2 and 3 make an excellent selfcontained half-year course (in the range of 35–40 lectures), suitable for second or third year college or university students, introducing the basic structures of modular arithmetic, groups, rings and fields, with plenty of substantial material. Chapters 1 through 7 are suitable for a whole year course (70–80 lectures) in algebra. Chapters 4 through 7 are suitable for third and fourth year undergraduate students and can also be used as an introductory graduate text for students who have taken only a half year undergraduate course in algebra or who have taken a more traditional undergraduate course in algebra. How should one teach from this text? There is a considerable amount of material in each of the sections with a considerable amount of detail. There are also places where a detailed verification is left to the reader, perhaps because the argument is just a repetition of an earlier argument. So to teach every detail and fill in every missing argument may not be the best way to present the subject. I would recommend that an instructor exercise some discretion as to what is covered in complete detail and what is covered lightly. One of
viii Preface
my own rules of thumb is to ask myself three questions about each proof, especially longer proofs: (i) Is there any clear benefit to the student from going through these calculations? (ii) Will it help in understanding the result itself? (iii) Are there ideas in the proof that are especially clever, useful or interesting in and of themselves? If the answers to all three of these questions is no, then what is the point of wading through the gory details? For example, is there value in going through the details of the Fundamental Theorem of Arithmetic? Well, that might depend on the level of the students. In an elementary class, it is an interesting application of induction; in a more advanced class, it might all seem too trivial. Is it worthwhile to cover the equivalence between equivalence relations and partitions in detail, or would it be better to discuss it on an intuitive level and leave the details to be read by those students who are most interested in that? Then in Chapter 2 one of the great advantages of treating rings and fields before groups is that the parallel between modular arithmetic and the construction of factor rings of polynomial rings modulo a polynomial (ideal) is so strong that the vast majority of students have no difficulty accepting the concepts without rigorously checking all the details. In other words, an instructor can easily focus students’ efforts and interests on the most important and most interesting topics. There are many worked examples in the text to illustrate the theory and each section is followed by numerous exercises (almost 850 in total) ranging from routine to challenging. The longer and more difficult exercises are marked by either one or two asterisks. A Solutions Manual is available to course instructors from the author. An appropriate background for this book would be an introductory course in linear algebra, determinants and matrices.
Acknowledgments
I would like to acknowledge my sincere gratitude to Drs Edmond Lee and Michael Monagan who read parts of the manuscript very carefully and who, in addition to making many corrections, made many useful remarks and suggestions that influenced both content and presentation. I would also like to thank the anonymous reviewers whose rigorous reading of the manuscript and thoughtful advice resulted in major improvements in the text.
This page intentionally left blank
Contents
1
Modular Arithmetic 1.1 Sets, functions, numbers 1.2 Induction 1.3 Divisibility 1.4 Prime Numbers 1.5 Relations and Partitions 1.6 Modular Arithmetic 1.7 Equations in Zn 1.8 Bar codes 1.9 The Chinese Remainder Theorem 1.10 Euler’s function 1.11 Theorems of Euler and Fermat 1.12 Public Key Cryptosystems
2
Rings and Fields 2.1 Basic Properties 2.2 Subrings and Subfields 2.3 Review of Vector Spaces 2.4 Polynomials 2.5 Polynomial Evaluation and Interpolation 2.6 Irreducible Polynomials 2.7 Construction of Fields 2.8 Extension Fields 2.9 Multiplicative Structure of Finite Fields
3 3 14 19 26 32 36 44 51 56 61 64 68 79 79 86 95 100 109 116 123 130 140
xii
Contents
2.10 2.11 2.12 2.13 2.14
Primitive Elements Subfield Structure of Finite Fields Minimal Polynomials Isomorphisms between Fields Error Correcting Codes
143 148 152 161 168
3
Groups and Permutations 3.1 Basic Properties 3.2 Subgroups 3.3 Permutation Groups 3.4 Matrix Groups 3.5 Even and Odd Permutations 3.6 Cayley’s Theorem 3.7 Lagrange’s Theorem 3.8 Orbits 3.9 Orbit/Stabilizer Theorem 3.10 The Cauchy-Frobenius Theorem 3.11 K-Colorings 3.12 Cycle Index and Enumeration
181 181 193 200 207 213 217 220 228 234 241 250 254
4
Groups: Homomorphisms and Subgroups 4.1 Homomorphisms 4.2 The Isomorphism Theorems 4.3 Direct Products 4.4 Finite Abelian Groups 4.5 Conjugacy and the Class Equation 4.6 The Sylow Theorems 1 and 2 4.7 Sylow’s Third Theorem 4.8 Solvable Groups 4.9 Nilpotent Groups 4.10 The Enigma Encryption Machine
264 264 274 278 283 292 299 305 309 315 322
5
Rings and Polynomials 5.1 Homomorphisms and Ideals 5.2 Polynomial Rings 5.3 Division Algorithm in F [x1 , x2 , . . . , xn ] : Single Divisor 5.4 Multiple Divisors: Groebner Bases 5.5 Ideals and Affine Varieties 5.6 Decomposition of Affine Varieties 5.7 Cubic Equations in One Variable 5.8 Parameters 5.9 Intersection Multiplicities 5.10 Singular and Nonsingular Points
331 331 339 349 358 367 376 381 383 394 399
6
Elliptic Curves 6.1 Elliptic Curves 6.2 Homogeneous Polynomials
403 403 408
Contents xiii
6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 7
Projective Space Intersection of Lines and Curves Defining Curves by Points Classification of Conics Reducible Conics and Cubics The Nine-Point Theorem Groups on Elliptic Curves The Arithmetic on an Elliptic Curve Results Concerning the Structure of Groups on Elliptic Curves
414 427 433 439 443 447 453 458 466
Further Topics Related to Elliptic Curves 7.1 Elliptic Curve Cryptosystems 7.2 Fermat’s Last Theorem 7.3 Elliptic Curve Factoring Algorithm 7.4 Singular Curves of Form y 2 = x 3 + ax + b 7.5 Birational Equivalence 7.6 The Genus of a Curve 7.7 Pell’s Equation
471 471 475 480 485 488 494 496
References
503
Index
505
This page intentionally left blank
Introduction to Applied Algebraic Systems
This page intentionally left blank
1 Modular Arithmetic
In this chapter we study the most basic algebraic system of all—the integers. Our familiarity with the integers from everyday affairs might lead us to the impression that they are uninteresting. Nothing could be further from the truth, and in this chapter we will barely scratch the surface of a subject that has intrigued mathematicians for more than 2000 years.
1.1 Sets, functions, numbers
We begin with some basic ideas and useful notation concerning sets, functions, and numbers. A set is a collection of objects that we call the elements or members of the set. We are relying, here, on a rather naive definition of a set. The concept of a set is extremely subtle and goes to the very foundations of mathematics. We will be satisfied here if we can develop a sound intuitive understanding. Sets can be described in (at least) three ways: (1) An exhaustive list: For example, A = {1,3,6,8} B = {Beijing, Moscow, New York, Ottawa} C = {Jean, John, Mary}. 3
4
Introduction to Applied Algebraic Systems
(2) A partial list: A = {1, 2, 3, . . .} B = {0, 1, −1, 2, −2, . . .} C = {1, 1/2, 1/3, 1/4, . . .}. (3) A rule or condition: A = {integers n | n is divisible by 2} B = {integers n | there exists an integer k with n = 3k 2 + 2k + 1} C = {persons P | P is studying calculus and has a birthday in January}. To indicate that a is a member of the set A we write a ∈ A. To indicate that a is not a member of the set A we write a ∈ / A. For example, if A = {x | x is the name of a Canadian province} then Manitoba ∈ A but California ∈ / A. In various situations it can be helpful to reduce the length of a formula or condition by using the following notation: “∃” means “there exists”. “∀” means “for all”. For example, we might write {A | A is a set of integers and ∃ a ∈ A that is a multiple of 5} or {A | A is a set of integers and ∀a ∈ A ∃ an integer n with a = 2n + 1}. The empty set, which we denote by ∅, is the set with no elements. If A is a set and A = ∅ then we say that A is nonempty. It is quite possible to be discussing the empty set without being aware of it (initially, at least). For instance, in the 17th century, P. de Fermat wrote that the set A = {n ≥ 3 | ∃ x, y, z ∈ N \ {0} with x n + y n = z n } is empty. However, he provided no proof, and it was only in the last decade of the 20th century that Fermat’s claim was finally confirmed by Andrew Wiles. So for more than 300 years it remained an open question whether A is empty. As another example, we might be interested in the set of integers A = {a | ∃ a positive integer b with a 3 + 2a + 2 = b 2 } only to discover at some point that there is no such integer a so that A = ∅.
Modular Arithmetic
5
Let A and B be sets. Then A is a subset of B if and only if every element of A is an element of B. When this is the case, we write A ⊆ B. The two extreme cases are ∅ ⊆ B and B ⊆ B. If A is a subset of B, but not equal to B, then we say that A is a proper subset of B and write A ⊂ B. Two sets A and B are equal if and only if they have the same members. Thus, to show that two sets, A and B, are equal, we must show that every member of A is a member of B and vice versa—that is, that A ⊆ B and B ⊆ A. Example 1.1.1 Consider the list of names Alfred, Jean, John, Li, Mark, Peter, Stephen. Let A = set of names in the list containing the letter e B = set of names in the list containing two vowels. Then A = B since every name containing the letter e has two vowels and every name with two vowels contains the letter e. If A and B are sets, then A ∪ B = {x | x ∈ A or x ∈ B} A ∩ B = {x | x ∈ A and x ∈ B} A \ B = {x | x ∈ A and x ∈ B}. For any finite set A, | A | = the number of elements in A and is sometimes referred to as the cardinality of A. There are various important sets of numbers: N = {1, 2, 3, . . .} the natural numbers or positive integers N0 = {0, 1, 2, 3, . . .} the nonnegative integers Nn = {1, 2, 3, . . . , n} Z = the set of all integers Q = the set of rational numbers R = the set of real numbers
For a, b ∈ Z with a < b we write [a, b] = {a, a + 1, a + 2, . . . , b}. All these number systems which we now take for granted so easily, represent major steps forward in the historical development of mathematics. Even the
6
Introduction to Applied Algebraic Systems
lowly number zero had a difficult introduction. Some historians trace its origins back to Sumeria, a region covering parts of modern-day Iran and Iraq, about 2500 years ago. However, even by the time of the ancient Greeks, it had not been fully accepted and was viewed with some suspicion. A great source for anyone interested in the origins of our place-valued number system, zero, negative integers, arithmetic, and so forth, is the book review by J. Dauben [Dau]. Complex numbers will also be part of our disussions. Recall that complex numbers are just those numbers of the form a + ib (or a + bi) where a and b are real numbers and i 2 = −1. We denote the set of all complex numbers by C. Thus C = {a + ib|a, b are real numbers}.
Complex numbers combine under addition and multiplication just like real numbers, except that every time we encounter i 2 we replace it by −1. Note that C contains R, since any real number a can be written as a + i0. Just as we represent the real numbers as points on a line, it is often convenient to represent complex numbers as points on a plane: a+ib → (a, b). y
6
r θ
q (a, b) -
x
Then the polar coordinates for (a, b) are r = (a 2 + b 2 )1/2 ,
θ = tan−1 (b/a).
The original coordinates, in terms of the polar coordinates, are given by a = r cos θ ,
b = r sin θ .
In terms of the original complex number a + ib, we define |a + ib| = (a 2 + b 2 )1/2 to be the absolute value of a + ib and the argument of a + ib is arg (a + ib) = θ = tan−1 (b/a).
Modular Arithmetic
7
Of course, in terms of polar coordinates, |a+ib| = r. We can express z = a+ib in terms of the polar coordinates of (a, b) as follows: z = a + ib = r(a/r + i b/r) = |z| (cos θ + i sin θ ). This way of writing a complex number is particularly convenient for multiplication. For instance, if z = |z|(cos θ + i sin θ ) and z = |z |(cos θ + i sin θ ) then zz = |z| · |z | · (cos(θ + θ ) + i sin(θ + θ )). In particular, it follows that for every z = |z| (cos θ + i sin θ) ∈ C and every n ∈ N, z n = |z n | (cos nθ + i sin nθ ). We include in our basic set of axioms for numbers, the following. Axiom 1.1.2 (Well-ordering axiom for N) Every nonempty subset of N has a least element. Example 1.1.3 Let n
A = {n ∈ N | 22 − 1 is divisible by 13}. By the well-ordering axiom, we know that either A is the empty set or that A has a least element. Let A and B be sets. Then A × B = {(a, b) | a ∈ A, b ∈ B} is the Cartesian or direct product of A and B. More generally, if A1 , . . . , An are sets, then A1 × A2 × · · · × An = {(a1 , a2 , . . . , an ) | ai ∈ Ai } is the Cartesian product of the sets Ai . Familiar examples of this would be R2 (the coordinatization of the plane) and Rn (the coordinatization of real
8
Introduction to Applied Algebraic Systems
n-space). For finite sets, we can give a complete listing of the members. For example, if A = {1, 2} and B = {3, 5, 7}, then A × B = {(1, 3), (1, 5), (1, 7), (2, 3), (2, 5), (2, 7)}. Much of mathematics is devoted to the study of functions. Definition 1.1.4 A function or a mapping f from a nonempty set A to a set B is a rule that associates with each element of A a unique element of B. We write f : A → B. The set A is the domain of f , B is the range of f , and {f (x) | x ∈ A} is the image of f . Example 1.1.5 (1) A = set of all people who have reached age 10 B=R f : A → B where f (a) = height in centimeters of the person a at age 10 (2) A = set of all people living in California B = set of all first names f :A→B f (a) = first name of person a (3) A = B = the set of all nonnegative real numbers f :A→B √ f (x) = x 2 + x + 1 (4) A = Rm , B = Rn , where the elements of A and B are viewed as column vectors. Let M be an n × m matrix. T :A→B T (v) = Mv. If A and B are two statements, then we will say that A implies B and write A ⇒ B if the statement B holds whenever the statement A holds. For example, if A is the statement “x is the sum of two odd numbers” and B is the statement that “x is an even number”, then A ⇒ B. Extending this notation, we also write A ⇔ B (which we read as “A if and only if B”) whenever both A ⇒ B and B ⇒ A. Let f : A → B be any mapping. Then f is injective if for all x, y ∈ A, x = y implies that f (x) = f (y) f is surjective if for all y ∈ B, there exists an x ∈ A with f (x) = y f is bijective if it is both injective and surjective. In these circumstances we say that f is an injection, surjection, or bijection, respectively.
Modular Arithmetic
9
Note that f is injective if and only if it satisfies the condition for all x, y ∈ A, f (x) = f (y) =⇒ x = y. We will often rely on this equivalent statement when we wish to establish that a function is injective. Less formally, the term one-to-one (sometimes written as 1-1) may be used instead of injective and onto may be used in place of surjective. If f : A → B is a bijection, it can be helpful to think of f as giving a correspondence between the elements of A and those of B. For this reason we occasionally refer to a bijection as being a one-to-one correspondence or 1-1 correspondence. We shall see in the exercises that the properties of being injective or surjective are indeed independent. However, in one very important situation it turns out that they coincide. This is a very useful fact. Lemma 1.1.6 Let A and B be finite nonempty sets with |A| = |B|. Let f : A → B. Then f is injective if and only if f is surjective. Proof. Let C = {f (x) | x ∈ A} be the image of f . Then it is easily seen that |C| = |A| ⇐⇒ f is injective while |C| = |B| ⇐⇒ f is surjective. Hence, f is injective ⇐⇒| C | = | A | ⇐⇒| C | = | B | ⇐⇒ f is surjective.
In the sections to follow, we will often want to determine whether some function is injective or surjective. So let us consider an example to see exactly how this is done. Let f : R3 → R3 be the function defined by f (x1 , x2 , x3 ) = (x1 − x2 , x2 − x3 , x3 − x1 ).
10
Introduction to Applied Algebraic Systems
Is f injective? To determine this we must consider any elements u, v ∈ R3 and check whether f (u) = f (v) =⇒ u = v. Toward this end, let u = (x1 , x2 , x3 ), v = (y1 , y2 , y3 ) ∈ R3 . Then f (u) = f (v) ⇐⇒ (x1 − x2 , x2 − x3 , x3 − x1 ) = (y1 − y2 , y2 − y3 , y3 − y1 ) ⇐⇒ x1 − x2 = y1 − y2 , x2 − x3 = y2 − y3 , x3 − x1 = y3 − y1 . (1.1) However, these equations do not imply that u = v. For instance, let a be any nonzero real number and let yi = xi + a. Clearly the equations in (1.1) are satisfied, yet (x1 , x2 , x3 ) = (y1 , y2 , y3 ). In particular, if we take a = 1 and u = (0, 0, 0), then v = (1, 1, 1) and clearly f (0, 0, 0) = f (1, 1, 1). Thus, f is not injective. Is f surjective? We could cheat here and invoke a little linear algebra. Since f is a linear transformation and we have seen that its kernel is not the zero subspace, it follows that the dimension of Imf is less than 3. Therefore, Imf = R3 and f is not surjective. However, let us still consider the question from first principles. We have that f is surjective ⇐⇒ ∀ (a, b, c) ∈ R3 , ∃ (x1 , x2 , x3 ) ∈ R3 with f (x1 , x2 , x3 ) = (a, b, c). Now f (x1 , x2 , x3 ) = (a, b, c) ⇐⇒ (x1 − x2 , x2 − x3 , x3 − x1 ) = (a, b, c) ⇐⇒ x1 − x2 = a, x2 − x3 = b, x3 − x1 = c. However, adding these three equations together we find that 0 = a + b + c. Consequently, any element (a, b, c) ∈ R3 that does not satisfy this condition will not be in the image of f . For example, (1, 1, 1) ∈ Imf . Therefore, f is not surjective. If g : A → B and f : B → C are two functions, then the composite f ◦ g is the function from A to C defined by f ◦ g (x) = f (g (x))
(x ∈ A).
For example, if f , g : R → R are functions defined by f (x) = 1 + 2x + 3x 2 ,
g (x) = (1 + x 2 )1/2
Modular Arithmetic
11
then f ◦ g : R → R is defined by f ◦ g (x) = 1 + 2g (x) + 3g (x)2 = 1 + 2(1 + x 2 )1/2 + 3(1 + x 2 ) = 4 + 2(1 + x 2 )1/2 + 3x 2 . The composition of functions satisfies a very important rule. Lemma 1.1.7 Let f : C → D, g : B → C and h : A → B be functions. Then f ◦ (g ◦ h) = (f ◦ g ) ◦ h. Proof. The proof is very simple but it illustrates how we must proceed if we wish to show that two functions are equal. We must show that the “rule” defining each function leads to the same result for all elements in the domain. The domain in this case is A. So let x ∈ A. Then f ◦ (g ◦ h)(x) = f ((g ◦ h)(x)) = f (g (h(x))) while (f ◦ g ) ◦ h(x) = (f ◦ g )(h(x)) = f (g (h(x))). Since we obtain the same result in both cases, the two functions f ◦ (g ◦ h) and (f ◦ g ) ◦ h must be equal. The rule or law in Lemma 1.1.7 is called the associative law. The importance of Lemma 1.1.7 lies in the fact that we no longer need to concern ourselves with the positioning of brackets when composing several functions and so we may write simply f ◦ (g ◦ h) = f ◦ g ◦ h unambiguously. To simplify the notation further, we abbreviate f ◦ g to fg and write f ◦ f = f 2,
f ◦f ◦f =f3
and so forth. A very simple function, but nonetheless an important function, on any nonempty set A is the identity function IA defined by I A (a) = a We will also write IA = 1A .
for all a ∈ A.
12
Introduction to Applied Algebraic Systems
Sometimes functions will “cancel each other out” in the following sense: Two functions f : A → B and g : B → A are said to be inverses (f the inverse of g and g the inverse of f ) if f ◦ g = IB
and g ◦ f = IA .
It is a simple exercise to show that if f and g are inverses, then they are both bijections. Conversely, suppose that f : A → B is a bijection. Then for every element b in B, there exists a unique element a in A with f (a) = b. Therefore we can define a mapping g : B → A by the following: for all b ∈ B, g (b) is the unique element a in A such that f (a) = b. It is easy to see that f ◦ g = IB and that g ◦ f = IA , in other words, f and g are inverse mappings. Consequently, we have the useful observation that a mapping f : A → B is a bijection if and only if f has an inverse. Exercises 1.1 1. Use the notation {· · · | · · · } to describe each of the following sets. (i) {1, 2, 3, . . . , 100}. (ii) The set of all even integers. (iii) {3, 6, 9, . . .}. 2. Let A = {a, b, c, d}. List all possible subsets of A. 3. Let A be a nonempty set with | A |= n. Show that A has 2n subsets. 4. For each of the following pairs of sets, decide whether A ⊂ B, B ⊂ A, A = B, or none of these hold. (i) A = set of even positive integers, B = {x ∈ N | x 2 is even }. (ii) A = {1, 3, 5, 7, 9}, B = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}. (iii) A = {x ∈ N | ∃ y ∈ N with x = y 2 }, B = {x ∈ N | ∃ y ∈ N with x = y 3 }. (iv) A = {x ∈ N | 1 < x < 20 and x − 1 is divisible by 3}, B = {x ∈ N | 1 < x < 20 and x 2 − 1 is divisible by 3}. ∗ 5.
Let A, B, and C be subsets of a set X . Show that A ∩ (B ∪ C) = (A ∩ B) ∪ (A ∩ C) and that A ∪ (B ∩ C) = (A ∪ B) ∩ (A ∪ C). (These equalities are known as the distributive laws.)
Modular Arithmetic
13
In each of the Exercises 6 through 14, determine whether the function f : A → B is injective, surjective, or bijective. 6. A = R, B = R, f (x) = 2x − 3. 7. A = R, B = R, f (x) = x 2 . 8. A = R, B = R, f (x) = e x . 9. A = R, B = R, f (x) = x 3 − 2x + 1. 10. A = R2 , B = R3 , f (x1 , x2 ) = (x1 + x2 , x1 − x2 , 2x1 − 3x2 ). 11. A = R3 , B = R2 , f (x1 , x2 , x3 ) = (x1 + x3 , x2 − x3 ). 12. A = R2 , B = R2 , f (x1 , x2 ) = (2x1 + x2 , x2 ). 13. A = R3 , B = R3 , f (x1 , x2 , x3 ) = (x1 − x3 , x2 + x3 , x1 − x2 − 2x3 ). 14. A = R3 , B = R3 , f (x1 , x2 , x3 ) = (x1 + x2 + x3 , x2 − x3 , x2 ). In Exercises 15 and 16, determine whether the functions f , g : R3 → R3 are inverses (of each other). 15. f (x1 , x2 , x3 ) = (x1 + x2 , x2 + x3 , x1 + x3 ); g (x1 , x2 , x3 ) = 12 (x1 − x2 + x3 , x1 + x2 − x3 , −x1 + x2 + x3 ). 16. f (x1 , x2 , x3 ) = (x1 + x2 + x3 , x2 , x3 ); g (x1 , x2 , x3 ) = (x1 − x2 − x3 , −x1 + x2 − x3 , −x1 − x2 + x3 ). 17. Let A = B = {1, 2} and C = {1, 2, 3}. List all the elements of A × B and A × B × C. Is A × B a subset of A × B × C? Is {1} × B × {2, 3} a subset of A × B × C? 18. Let A and B be nonempty sets and f : A → B. Show that IB f = f = fIA . ∗ 19.
Let A = {1, 2, 3, 4} and let TA denote the set of mappings from A to A. An element f ∈ TA is an idempotent if f 2 = f . Let f ∈ TA be such that f (1) = 2, f (2) = 3, f (3) = 4, f (4) = 3. (i) (ii) (iii) (iv)
∗ 20.
Find the smallest integer n such that f n is an idempotent. Find g ∈ TA such that fgf = f and gfg = g . Show that fg and gf are idempotents. Find h, k ∈ TA such that h = IA and hk = kh = IA .
Let A be a nonempty set and g : A → B, f : B → C be mappings. Establish the following: (i) fg injective =⇒ g is injective. (ii) fg surjective =⇒ f is surjective. Give examples to show the following: (iii) fg injective need not imply that f is injective. (iv) fg surjective need not imply that g is surjective.
14
Introduction to Applied Algebraic Systems
1.2 Induction
A tremendously important tool in the study of structures that involve natural numbers is the method of argument called induction. Imagine that we wish to show that a certain statement is true for all integers n that are greater than or equal to some fixed integer a. For example, the claim might be that for all positive integers n ≥ 1, 1 12 + 22 + . . . + n 2 = n(n + 1)(2n + 1). 6 One way to proceed would be to assume that the claim is false and then to show that this leads to a contradiction. If the claim is false, then, by the Well Ordering Axiom, there must be a smallest value of n for which the claim does not hold, that is, 1 12 + 22 + . . . + n 2 = n(n + 1)(2n + 1). 6 However, when n = 1, we have that the left side of the equation reduces to 12 = 1 and the right side reduces to 16 · 1 · 2 · 3 = 1. Thus, the claim is true for 1 and we may assume that the claim holds for the sum of 1, 2, . . ., up to n − 1 squares. Since the claim holds for the sum of n − 1 squares, we must have: 1 12 + 22 + . . . + (n − 1)2 = (n − 1)(n)(2n − 1) 6 so that 1 12 + 22 + . . . + (n − 1)2 + n 2 = (n − 1)(n)(2n − 1) + n 2 6 1 = n(n + 1)(2n + 1). 6 But this contradicts our assumption that the claim failed for n. Hence the claim must hold for all nonnegative integers. This method of proof is formalized in what is known as the principle of induction. Notice that in the above argument, we were able to assume that the claim was true for 1, 2, . . . , n − 1, but only actually used the validity of the claim for n − 1. This is a common occurrence in these types of arguments and is reflected in two equivalent forms of the principle.
Modular Arithmetic
15
First Form of the Principle of Induction 1.2.1 Let A be a subset of N0 with the following properties: (1) A contains the integer a. (2) If A contains n where n ≥ a, then A contains n + 1. Then A contains all integers greater than or equal to a. The element a is referred to as the base of the induction argument, (2) is referred to as the induction step and the assumption in (2) that n ∈ A is called the induction hypothesis. The induction principle is really just another form of the well-ordering axiom. Example 1.2.2 Show by induction that 1 1 · 2 + 2 · 3 + 3 · 4 + · · · + n(n + 1) = n(n + 1)(n + 2) 3
(1.2)
for all positive integers n. Let A denote the set of positive integers n for which the equation (1.2) holds. We wish to show that A = N. When n = 1, we have Left side of (1.2) = 1 · 2 = 2 Right side of (1.2) =
1 1 · 2 · 3 = 2. 3
Thus, equation (1.2) holds when n = 1. In other words, 1 ∈ A and we can take a = 1 as the base for our induction. We now adopt the induction hypothesis that equation (1.2) holds for some integer n, where n ≥ 1, and we wish to complete the induction step by showing that the equation (1.2) holds when we replace n with n + 1. The left side then becomes 1 · 2 + 2 · 3 + · · · + n(n + 1) + (n + 1)(n + 2) 1 = n(n + 1)(n + 2) + (n + 1)(n + 2) by the induction hypothesis 3 1 = (n + 1)(n + 2)(n + 3) 3 1 = (n + 1)((n + 1) + 1)((n + 1) + 2). 3
16
Introduction to Applied Algebraic Systems
Thus, equation (1.2) also holds when n is replaced with n + 1. By the first form of the principle of induction, this implies that A = {n ∈ N | n ≥ 1}. In other words, A = N, as required. Second Form of the Principle of Induction 1.2.3 Let A be a subset of N0 with the following properties: (1) A contains the integer a. (2) If n ≥ a and A contains every integer k with a ≤ k ≤ n, then A contains n + 1. Then A contains all integers greater than or equal to a. Again, the number a is the base for the induction argument, the assumption that “n ≥ a and A contains every integer with a ≤ k ≤ n” is the induction hypothesis and the verification of the conclusion in (2) is the induction step. We will illustrate the second form of the principle of induction by using it to prove an important result concerning integers in Section 1.4. The principle of induction is an important tool in studying properties of integers. However, induction is not the only method that we can apply to establish statements concerning integers. This point is well illustrated by the following treatment of progressions. An arithmetic progression is a sequence a1 , a2 , a3 , . . ., often written as {an }, of integers such that the difference between any two successive numbers in the sequence is a constant For example, the sequence 2, 5, 8, 11 . . . is an arithmetic progression with constant difference 3. A general arithmetic progression takes the form a, (a + d), (a + 2d), . . . , (a + (n − 1)d) . . . . The nth term of the progression is a + (n − 1)d and the sum of the first n terms is S = a + (a + d) + (a + 2d) + · · · + (a + (n − 1)d). The number d is referred to as the common difference. We can find a compact expression for S if we rewrite it as follows: S = a + (a + d) + (a + 2d) + · · · + (a + (n − 1)d) S = (a + (n − 1)d) + (a + (n − 2)d) + (a + (n − 3)d) + · · · + a.
Modular Arithmetic
17
Adding, we obtain 2S = (2a + (n − 1)d) + (2a + (n − 1)d) + · · · + (2a + (n − 1)d) (n terms) = n(2a + (n − 1)d) so that S=
n (2a + (n − 1)d). 2
(1.3)
This leads to many useful formulae. If we take a = d = 1, then we obtain 1 + 2 + ··· + n =
n(n + 1) 2
whereas if we take a = 1 and d = 2 we obtain 1 + 3 + · · · + (2n − 1) = n 2 . A geometric progression is a sequence {an }, of integers such that the ratio between any two successive numbers in the sequence is a constant For example, the sequence 2, 6, 18, 54 . . . is an geometric progression with constant ratio 3. A general geometric progression takes the form a, ar, ar 2 , . . . , ar n−1 . . . . The nth term of the progression is ar n−1 and the sum of the first n terms is S = a + ar + ar 2 + · · · + ar n−1 . The number r is referred to as the common ratio. Multiplying by r we obtain rS = ar + ar 2 + · · · + ar n so that S − rS = a − ar n and S=a
(1 − r n ) 1−r
provided r = 1. This also has some interesting special cases. If we take a = 1, r = 2, then we obtain 1 + 2 + 22 + · · · + 2n−1 =
1 − 2n = 2n − 1 1−2
18
Introduction to Applied Algebraic Systems
whereas if a = 1 and r = 3 we find 1 1 + 3 + 32 + · · · + 3n−1 = (3n − 1). 2 An interesting sequence of numbers with many strange connections is the Fibonacci sequence {an } of natural numbers and it is defined inductively as follows: a1 = 1,
a2 = 1,
an+2 = an + an+1 .
The first few terms of the sequence are 1, 1, 2, 3, 5, 8, 13, . . . . Each term of the sequence, after the first two terms, is the sum of the two preceding terms. Leonardo Fibonacci was born in Pisa, Italy, in about 1170. As a result of traveling extensively around the Mediterranean, he became familiar with the Hindu-Arabic system of numerals with which we are so familiar, but which was not yet in general use in Europe. He authored four mathematical texts. The Fibonacci numbers first appear as the solution to a rabbit population problem in Liber Abaci, by Fibonacci, which first appeared in 1202. The Fibonacci sequence shows up in other strange ways, such as the number of petals in certain flowers, and has connections to the “Golden Ratio”. Exercises 1.2 Let n be a positive integer. Establish the following by induction. 1. 1 + 5 + 9 + · · · + (4n + 1) = (2n + 1)(n + 1). 2. 2 + 4 + 6 + · · · + 2n = n(n + 1). 3. 3 + 3 · 4 + 3 · 42 + · · · + 3 · 4n−1 = 4n − 1. 4. 12 + 32 + 52 + · · · + (2n − 1)2 = n3 (2n − 1)(2n + 1). 2 . 5. 13 + 23 + 33 + · · · + n 3 = n(n+1) 2 6. 14 + 24 + 34 + · · · + n 4 =
1 30 n(n
+ 1)(2n + 1)(3n 2 + 3n − 1).
7. Show that the nth Fibonacci number an satisfies an < 2n . 8. Show that for all n ≥ 2, the Fibonacci numbers satisfy: (i) an an+1 − an−1 an = an2 . (ii) an−1 an+1 − an2 = (−1)n . 9. Show that for all n ≥ 1, the Fibonacci numbers satisfy: a12 + a22 + · · · + an2 = an an+1 . ∗ 10.
Show that if A is a set with n elements, then A has 2n subsets.
Modular Arithmetic
19
1.3 Divisibility
For any integers x and y, we say that x is a divisor of y or that x divides y if there exists an integer q with y = qx. We write x | y to indicate that x divides y. Note that for all integers x we have 0 = 0 · x. Thus, every integer divides zero. Lemma 1.3.1 Let a, b, c ∈ Z. If a | b and a | c, then a | b ± c. Proof. Exercise.
Note that the converse of Lemma 1.3.1 does not hold. For example, 5 divides 10 = 2 + 8. But 5 does not divide 2 or 8. We all know from elementary arithmetic that if we divide one integer a by another integer b = 0, then we obtain a quotient and a remainder. For example, if a = 181 and b = 17 then a = 10b + 11. This idea is formalized in the next result. Lemma 1.3.2 (The Division Algorithm) Let a and b be integers with b > 0. Then there exist unique integers q and r, with a = bq + r
and
0 ≤ r < b.
Proof. We break the proof into two parts. First, the existence of the integers q and r, and then their uniqueness. Existence. Let R = {x ∈ N0 | ∃ y ∈ Z with a = by + x}. Since we can write a = b · 0 + a if a ≥ 0 and a = b · a + (1 − b)a if a < 0, where (1 − b)a ∈ N0 , it follows that R = ∅. By the well-ordering principle, we then know that R has a least member r, say. By the definition of R, there must be an integer q with a = bq + r. If r ≥ b, then a = bq + r = bq + b + (r − b) = b(q + 1) + (r − b) where 0 ≤ r − b < r. This contradicts the minimality of r. So we must have 0 ≤ r < b. Uniqueness. Now suppose that q and r are also integers such that a = bq + r where 0 ≤ r < b.
20
Introduction to Applied Algebraic Systems
Then, 0 = a − a = bq + r − (bq + r ) = b(q − q ) + (r − r ) so that r − r = b(q − q ). But 0 ≤ r, r < b so that −b < r − r < b and the only way that we can have b dividing r − r is if r − r = 0. Thus, r = r , which then implies that b(q − q ) = 0. Since b = 0, we conclude that q − q = 0 and therefore q = q . This establishes the uniqueness of q and r. By the greatest common divisor of two integers a and b, at least one of which is nonzero, we mean the largest integer d such that d | a and d | b. Since 1 divides every integer, it is clear that the greatest common divisor exists and is an integer lying between 1 and the smaller of | a | and | b |. It is customary to abbreviate the words greatest common divisor to g.c.d. and to denote the g.c.d. of the integers a and b by gcd(a, b) or simply (a, b). Example 1.3.3 Find the g.c.d. of 36 and 94. Answer: The positive divisors of 36 are 1, 2, 3, 4, 6, 9, 12, 18, 36, and the positive divisors of 45 are 1, 3, 5, 9, 15, 45. Since the largest number dividing both 36 and 45 is 9, the greatest common divisor of 36 and 45 is 9. When working with small numbers, it is an easy matter to find the greatest common divisor. All that we need to do is to find all the divisors of both the integers and select the largest divisor common to both numbers. This becomes less practical when dealing with really large numbers. The next result gives us an efficient algorithm that works well with large integers. While the array of equations may appear daunting at first sight, it should be less so once it is appreciated that it is only formulating a sequence of long divisions. Theorem 1.3.4 (The Euclidean Algorithm) Let a ∈ Z, b ∈ N and qi (2 ≤ i ≤ n), ri (2 ≤ i ≤ n) be defined by the equations a = bq2 + r2 b = r2 q3 + r3 r2 = r3 q4 + r4 .. . rn−2 = rn−1 qn + rn rn−1 = rn qn+1 .
0 ≤ r2 < b 0 ≤ r3 < r2 if r2 > 0 0 ≤ r4 < r3 if r3 > 0 0 ≤ rn < rn−1 if rn−1 > 0 rn+1 = 0
Modular Arithmetic
21
Then, (i) rn = (a, b). (ii) If c ∈ Z, c | a and c | b then c | (a, b). (iii) There exist x, y ∈ Z with (a, b) = xa + yb. (The reason for starting the indices for qi and ri with i = 2 will become apparent in Theorem 1.3.6.) Proof. By repeated application of the division algorithm, we know that there exist integers q2 and r2 such that the first equation holds, and then integers q3 and r3 such that the second equation holds, and so on. Let r1 = b. Since the integers b = r1 , r2 , r3 , r4 , . . . are nonnegative and decreasing, there must be some integer n ≥ 0 with rn+1 = 0, rn = 0. Now from the last equation we deduce that rn | rn−1 ; from the secondto-last equation we deduce that rn | rn−2 , from the third to last equation we deduce that rn | rn−3 and so on, so that eventually we obtain rn | a and rn | b. Thus, rn is a common divisor of a and b, and rn ≥ 1. Now let c ∈ Z and c | a and c | b. Reversing the argument of the preceding paragraph, it now follows from the first equation that c | r2 . From the second equation it then follows that c | r3 , from the third equation it follows that c | r4 , and so on, until we finally obtain that c | rn . Therefore, c ≤ rn and, consequently, we must have rn = gcd(a, b), which establishes (i). Since we now know that rn = gcd(a, b), on rereading the previous paragraph, we find that we have established (ii). From the second-to-last equation, we have rn = rn−2 − rn−1 qn . Using the third-to-last equation, we can eliminate rn−1 to obtain rn = rn−2 − qn (rn−3 − qn−1 rn−2 ). Then we can eliminate rn−2 and so on until we finally obtain rn = xa + yb for some integers x and y.
Example 1.3.5 Let a = 710, b = 68. Then 710 = 68 × 10 + 30 68 = 30 × 2 + 8
(1.4)
22
Introduction to Applied Algebraic Systems
30 = 8 × 3 + 6 8=6×1+2 6 = 2 × 3. Therefore, (710, 68) = 2. Moreover, working our way back up this system of equations we have 2=8−6 = (68 − 2 × 30) − (30 − 3 × 8) = 68 − 2(710 − 10 × 68) − (710 − 10 × 68) + 3 × (68 − 2 × 30) = b − 2 × a + 20 × b − a + 10 × b + 3b − 6(710 − 10 × 68) = b − 2a + 20b − a + 10b + 3b − 6a + 60b = −9a + 94b. For positive integers a and b, we shall frequently refer to the fact that the Euclidean algorithm enables us to compute gcd(a, b). However, we shall see later that it is also important to have a good algorithm to calculate integers x, y with ax + by = (a, b). The method used in the previous example is clearly unmanageable in larger computations. Theorem 1.3.6 (The Extended Euclidean Algorithm.) Let a, b ∈ N and qi , ri (2 ≤ i) be defined as in Theorem 1.3.4. Let x0 = 1, y0 = 0, r0 = a x1 = 0, y1 = 1, r1 = b and for i ≥ 2 define xi = xi−2 − qi xi−1 ,
yi = yi−2 − qi yi−1 .
Then, (a, b) = xn a + yn b. Proof. Exercise. (Hint: Show that rk = xk a + yk b for 0 ≤ k ≤ n.)
Example 1.3.7 If we apply this extended Euclidean algorithm to the previous example with a = 710, b = 68, then we can tabulate the outcome step by
Modular Arithmetic
23
step as follows: i 0 1 2 3 4 5 6
qi — — 10 2 3 1 3
ri 710 68 30 8 6 2 0
xi 1 0 1 −2 7 −9 34
yi 0 1 −10 21 −73 94 −355
Since r6 = 0, it follows as before that (710, 68) = r5 = 2 and, from the extended Euclidean algorithm, that 2 = −9 × 710 + 94 × 68. Two integers a, b are relatively prime if (a, b) = 1 whereas integers a1 , . . . , ak are pairwise relatively prime if they are relatively prime in pairs—that is, (ai , aj ) = 1 for all i, j. For example, 8 and 15 are relatively prime whereas 8, 15, and 49 are pairwise relatively prime. Corollary 1.3.8 Let a, b ∈ Z. Then a and b are relatively prime if and only if there exist x, y ∈ Z with ax + by = 1. Proof. If a and b are relatively prime then (a, b) = 1 so that, by Theorem 1.3.4 (the Euclidean algorithm), there exist integers x, y with 1 = (a, b) = ax + by. Conversely, if there exist integers x, y with 1 = ax + by and if d = (a, b), then d divides a and b, and therefore d | 1. But, d ≥ 1. Therefore we must have d = 1. Example 1.3.9 175 = 52 × 7 and 72 = 23 × 32 . Thus, (175, 72) = 1. The Euclidean algorithm yields 175 = 72 × 2 + 31 72 = 31 × 2 + 10 31 = 10 × 3 + 1 10 = 1 × 10 + 0. whereas back substitution or the extended Euclidean algorithm will yield 1 = 7 × 175 + (−17) × 72.
24
Introduction to Applied Algebraic Systems
The next result gives us a really important characterization of the greatest common divisor of two integers and details the properties that we use most. Corollary 1.3.10 Let a and b be integers, not both of which are zero. Let d ∈ Z. Then d = (a, b) if and only if it satisfies all the following conditions: (i) d ≥ 1. (ii) d | a and d | b. (iii) If c ∈ Z, c | a and c | b, then c | d. Proof. In light of Theorem 1.3.4 (the Euclidean algorithm) and the definition of the greatest common divisor, it is clear that the greatest common divisor satisfies the three conditions (i), (ii), and (iii). Conversely, let d satisfy conditions (i), (ii), and (iii). By (i) and (ii), d is a positive common divisor of a and b. If c is any other positive common divisor of a and b, then, by (iii), c | d so that c ≤ d. Therefore, d is indeed the greatest common divisor. Dual to the concept of the greatest common divisor of two integers a and b we have the concept of least common multiple of two nonzero integers a and b, which we define to be, as the words suggest, the least positive integer that is divisible by both a and b. Clearly, | a | · | b | is divisible by both a and b so that there is indeed a least positive integer divisible by a and b, and it must lie between 1 and | a | | b |. When convenient, we abbreviate least common multiple to lcm and write lcm(a, b). Lemma 1.3.11 Let a, b be nonzero integers and m ∈ N. Then m is the least common multiple of a and b if and only if (i) m ≥ 1, (ii) a, b | m, (iii) if n ∈ N and a, b | n then m | n. Proof. Exercise.
Exercises 1.3 1. Show that x | 0 for all x ∈ Z. 2. Show that if a | b and b | c then a | c. 3. Show that if d | a and d | b then d | ax + by for all x, y ∈ Z. 4. Show that if a > 0, b > 0, and a | b then a ≤ b. 5. Show that if a, b ∈ Z are such that a | b and b | a, then a = ±b. 6. 3 | 22n − 1.
Modular Arithmetic
25
7. 15 | 42n − 1. 8. 2 | n 2 + 3n. 9. 6 | n 3 + 3n 2 + 2n. 10. Show that if n is odd then 8 | n 2 − 1. 11. Show that if n is even then 6 | n 3 − n. 12. Show that if n is odd then 24 | n 3 − n. 13. For each of the following pairs of integers a, b, use the extended Euclidean algorithm to find d = gcd(a, b) and also integers x, y such that d = ax + by. (i) 175; 72. (ii) 341; 377. (iii) 1848; 525. 14. Let a, b, c ∈ Z and d = (a, b). Show that there exist x, y ∈ Z with ax + by = c if and only if d | c. 15. Find integers x, y such that 36x + 75y = 21. 16. Show that if a, b, c ∈ Z, c = 0, and ca | cb, then a | b. 17. Let a, b ∈ Z, c ∈ N. Show that (ca, cb) = c(a, b). 18. Let a, b ∈ Z and d = (a, b). Show that
a b , d d
= 1.
19. Show that for all a, n ∈ N, (a, a + n) | n. 20. Let a, b ∈ N. Show that if (a, b) = 1 then (a + b, a − b) is either 1 or 2. ∗ 21.
Let a, b be integers, not both of which are zero. Let B be a 2 × 2 matrix with integer entries such that det(B) = ±1 and B a d = b 0 where d is a positive integer. Show that (a, b) = d.
26
Introduction to Applied Algebraic Systems
22. In this exercise we develop some interesting properties of the numbers that appear in the extended Euclidean algorithm. Set rn+1 = 0. Now establish the following: (i) (a, b) = xn a + yn b. (ii) For Ak = xk xk+1
yk , yk+1
det(Ak ) = (−1)k . (iii) (xk , yk ) = 1 for 1 ≤ k ≤ n + 1. (iv) Ak a rk . = rk+1 b (v) a yn+1 =− . b xn+1 23. Just for the purposes of this exercise, for all nonzero integers a, b, c define (a, b, c) to be the greatest integer d such that d divides a, b and c. Show that (i) (a, b, c) = ((a, b), c). (ii) ∃ x, y, z ∈ Z with (a, b, c) = xa + yb + zc. 24. Show that any two consecutive Fibonacci numbers are relatively prime. 25. (i) Let a, b ∈ N, x, y ∈ Z be such that ax + by = 1. Show that (yn + a, −xn + b) = 1 for all n ∈ Z. (ii) Show that (4n + 3, 7n + 5) = 1 for all n ∈ Z. 26. Show that, for all positive integers a, b, ab = gcd(a, b) × lcm(a, b). 1.4 Prime Numbers
A positive integer p > 1 is a prime or a prime number if the only positive integer divisors of p are 1 and p itself. The first few primes are 2, 3, 5, 7, 11, 13, 17, 19. Since the time of the ancient Greeks, the study of prime numbers and the search for new prime numbers has fascinated mathematicians. This interest
Modular Arithmetic
27
has intensified in recent years as a result of the importance of large prime numbers in such modern applications as cryptography, which we will have a look at later. The largest known prime numbers currently are of the form 2n − 1, with n on the order of 43 million. However, a new record is being set roughly every 2 years or so. The latest record can be found easily via an Internet search. There is a simple, but important, characterization of prime numbers that we tend to take for granted. Lemma 1.4.1 Let p ∈ N, p > 1. Then p is a prime number if and only if it satisfies the following condition: (C)
for any a, b ∈ Z,
p | ab =⇒ p | a or p | b.
Proof. First suppose that p satisfies (C). Let x ∈ N and x | p. Then there exists y ∈ N with p = xy. Clearly we must have 1 ≤ x, y ≤ p. But, p = xy implies that p | xy and therefore, by (C), p | x or p | y. If p | x then necessarily p = x and y = 1, whereas if p | y then necessarily p = y and x = 1. Therefore, either x = 1 or x = p. This means that p must be prime. Now let us assume that p is a prime number and that p | ab where a, b ∈ Z. Let d = (a, p). Then d | p so that d = 1 or p. If d = p, then p = d | a, as required. So suppose that d = 1. By Theorem 1.3.4, there exist s, t ∈ Z with 1 = sa + tp. Then b = sab + tpb. Now p | ab so that p | sab and p | tpb. Therefore, p | b as required. Our familiarity with the equivalence established in Lemma 1.4.1 can easily lead us to assume that these two properties are fundamentally (and obviously?) the same. However, this is far from true. Indeed, the two properties are not equivalent in certain number systems closely related to the integers. The next result is one that is usually encountered (without proof) in high school. However, the proof is very interesting because it provides an excellent illustration of the second form of the principle of induction. Also note that the proof invokes Lemma 1.4.1, which is the reason that we could not use this result to help us prove Lemma 1.4.1. Theorem 1.4.2 (The Fundamental Theorem of Arithmetic) Let n ∈ N, n = 1. Then there exist distinct primes p1 , . . . , pk and integers n1 , . . . , nk ∈ N such that n = p1 n1 · · · pk nk .
(1.5)
28
Introduction to Applied Algebraic Systems
Moreover, this expression is unique in the sense that if q1 , . . . , q are also distinct primes and m1 , . . . , m ∈ N are such that n = q1 m1 · · · q m
(1.6)
then k = , {p1 , . . . , pk } = {q1 , . . . , qk }, and if pi = qj , then ni = mj . Proof. Our first step is to prove the following claim by induction: Claim: Every integer n > 1 can be expressed as a product of primes as in Equation (1.5). If n = 2, then the result is clearly true, so that we may take 2 to be the base for our induction argument. For our induction hypothesis, we make the assumption that the claim is true for all integers k such that 2 ≤ k ≤ n. To apply the second form of the principle of induction, we must now show that the claim holds for n + 1—that is, that n + 1 can be written as a product of primes. If n + 1 is itself a prime, then there is nothing to prove because n + 1 is clearly expressible as a product of primes. So suppose that n + 1 is not a prime. Then there must exist integers a, b with 1 < a, b ≤ n and n + 1 = ab. By our induction hypothesis we know that a and b can be written in the form a = a1 r1 · · · at rt ,
b = b1 s1 · · · busu
where ai , bj are primes and ri , sj ∈ N. It follows that n + 1 = ab = a1 r1 · · · at rt b1 s1 · · · busu . In other words, n + 1 can be written as a product of primes. By the second form of the principle of induction, this establishes our claim. It remains for us to tackle the question of uniqueness. So suppose that we have two expressions (1.5) and (1.6) for n as a product of primes. Let us write them as n = p1 p2 · · · pm = q1 q2 · · · qn
(1.7)
where pi , qi are primes, but pi (respectively, qj ) are not necessarily distinct. Then p1 | n = q1 (q2 · · · qn ) so that, by Lemma 1.4.1, either p1 | q1 or p1 | q2 · · · qn . Repeating this argument we find that there must be qj such that p1 | qj . But qj is itself a prime
Modular Arithmetic
29
and so divisible by only 1 and qj . Therefore, we must have p1 = qj . Dividing Equation (1.7) by p1 = qj , we obtain p2 · · · pm = q1 · · · qj−1 qj+1 · · · qn . Repeating the previous argument, we find that each pi pairs off with a qj , which it equals. Clearly, there can be no qj ’s left over and so we obtain the desired uniqueness. The fundamental theorem of arithmetic provides an easy verification of Euclid’s discovery that there are infinitely many prime numbers. Suppose, on the contrary, that there were only finitely many prime numbers. Then we could list them as p1 , p2 , . . . , pk , say. Let n = p1 p2 , · · · pk . Then n + 1 is, by the fundamental theorem of arithmetic, equal to a product of prime numbers. But clearly it is not divisible by any of p1 , p2 , . . . , pk . Hence, there must be another prime that is not contained in this list. Thus we have a contradiction and there must be infinitely many prime numbers. The factorization of n into a product of primes in Equation (1.5) is called the prime factorization of n. When the prime factorization of two integers is available, we may use it to calculate their greatest common divisor (as we have in fact been doing with small examples). Corollary 1.4.3 Let a, b ∈ N and rm a = p1r1 · · · pm ,
sm b = p1s1 · · · pm
(where some ri , sj may be zero) be the prime factorizations of a and b. Then, tm (a, b) = p1t1 · · · pm
where ti = min(ri , si ), 1 ≤ i ≤ m. Proof. Exercise.
Example 1.4.4 Let a = 510 136 1911 294 735 ,
b = 54 113 296 733 798 .
Then, a = 510 110 136 1911 294 735 790 ,
b = 54 113 130 190 296 733 798
so that (a, b) = 54 110 130 190 294 733 790 = 54 294 733 .
30
Introduction to Applied Algebraic Systems
In the next lemma we gather together some observations that are useful in calculations involving greatest common divisors. We could use the fundamental theorem of arithmetic to establish these results and we encourage you to do that. However, to develop more familiarity with other approaches, we provide alternative proofs. Lemma 1.4.5 Let a, b, c ∈ Z. (i) (ii) (iii) (iv)
If c > 0, and c | a, b then (a, b) = c(a/c, b/c). If a | bc, and (a, b) = 1 then a | c. (a, bc) = 1 if and only if (a, b) = 1 and (a, c) = 1. If a | c, b | c and (a, b) = 1 then ab | c.
Proof. (i) Let d = (a, b). Since c | a, b, it follows from Corollary 1.3.10 (iii) that c | d. Let d = d1 c, a = a1 c, and b = b1 c. Then d1 c = d | a = a1 c, which implies that d1 | a1 . Similarly, d1 | b1 . Thus d1 is a divisor of a1 and b1 . Now suppose that x ∈ N and x | a1 , b1 . Then xc | a1 c = a and xc | b1 c = b and so, by Corollary 1.3.10 (iii), xc | d = d1 c. Therefore, x | d1 and, by Corollary 1.3.10, d1 = (a1 , b1 ) so that (a, b) = d = cd1 = c(a1 , b1 ) = c(a/c, b/c). (ii) The proof of this part illustrates a common technique that is used when working with greatest common divisors. Since (a, b) = 1, it follows from Theorem 1.3.4 that there exist integers x and y with ax + by = 1. Then, c = c · 1 = axc + bcy. Now a | bc, by hypothesis, and clearly a | axc. Consequently, a | axc + bcy = c, as required. (iii) and (iv). Exercises.
Exercises 1.4 1. Let a, b ∈ N have prime factorizations rm sm a = p1r1 p2r2 · · · pm , b = p1s1 · · · pm
where some ri , sj may be zero. Show that gcd(a, b) = p1 min(r1 ,s1 ) · · · pm min(rm ,sm ) lcm(a, b) = p1 max(r1 ,s1 ) · · · pm max(rm ,sm ) .
Modular Arithmetic
31
2. Show that for all a, b ∈ N, gcd(a, b) × lcm(a, b) = ab. 3. Let a, b, c ∈ N. Prove Lemma 1.4.5(iii), that is that (a, bc) = 1 ⇐⇒ (a, b) = 1
and
(a, c) = 1.
4. Let a, b, c ∈ N. Prove Lemma 1.4.5(iv), that is, that a | c, b | c, (a, b) = 1 =⇒ ab | c. 5. Show that if n ≥ 2 √ and n is not a prime, then there exists a prime p such that p | n and p ≤ n. 6. Use Exercise 5 to determine whether 439 is a prime. 7. Show that for all a, b, x ∈ N x ab − 1 = (x a − 1)(x (b−1)a + x (b−2)a + · · · + x a + 1). 8. Use Exercise 7 to show that if 2n − 1 is a prime, then n is one as well. (Prime numbers of the form 2p − 1 are known as Mersenne primes. At time of writing, the six largest known prime numbers are all Mersenne primes.) 9. Find a prime p such that 2p − 1 is not a prime. 10. Show that for all x, k ∈ N, x 2k+1 + 1 = (x + 1)(x 2k − x 2k−1 + · · · − x + 1). 11. Let a, k, ∈ N be such that a > 1 and let m = (2k + 1). Show that a m + 1 is not a prime. (Hint: Put x = a and use Exercise 10.) 12. Show that if m ∈ N is such that 2m + 1 is a prime, then m = 2n for some n ∈ N. (Hint: Use Exercise 11.) 13. Show that 232 + 1 = (29 + 27 + 1)(223 − 221 + 219 − 217 + 214 − 29 − 27 + 1) 5
and deduce that 22 + 1 is not a prime. n
14. Show that 22 + 1 is a prime for n = 0, 1, 2, 3, and 4. (Numbers of the n form 22 + 1 are known as Fermat numbers.) 15. Show that for all n ∈ N, none of the n consecutive integers (n + 1)! + 2, (n + 1)! + 3, · · · , (n + 1)! + n + 1 is prime.
32
Introduction to Applied Algebraic Systems
16. Show that for all n ∈ N, the integer n! + 1 is not divisible by any prime number less than n + 1. Deduce that there must be infinitely many prime numbers. 17. Show that no rational number satisfies the equation x 2 = 2. 1.5 Relations and Partitions
By a relation R on a set A we mean a subset of A × A. If (a, b) ∈ R, then we also write a R b and we say that a is related to b. This definition of a relation is just a generalization to arbitrary sets of the familiar notion of relationships between people (e.g., having the same height, weight, birthday, being the brother/sister of) or places (e.g., having a smaller population, milder climate) or things (being denser, harder, darker, and so forth.) that we use every day. Example 1.5.1 Let A = N6 = {1, 2, 3, 4, 5, 6} and R = {(1, 1), (1, 2), (1, 3), (1, 4), (1, 5), (1, 6) (2, 2), (2, 4), (2, 6), (3, 3), (3, 6), (4, 4), (5, 5), (6, 6)}. Do you recognize this relation? It is just the relationship of “being a divisor of ”. Thus, R = {(a, b) | a, b ∈ N6 and a | b}. The following properties that a relation may (or may not) have are particularly important. Let R be a relation on a set A. Then R is (1) reflexive if a R a for all a ∈ A, (2) symmetric if a R b ⇒ b R a, (3) transitive if a R b, b R c ⇒ a R c. Example 1.5.2 Let the relations R1 , R2 be defined on Z as follows: a R1 b ⇐⇒ a < b. a R2 b ⇐⇒ a ≤ b. a R3 b ⇐⇒ a and b have the same prime divisors. Then R1 is transitive but not reflexive or symmetric, R2 is reflexive and transitive but not symmetric, and R3 is reflexive, symmetric, and transitive. If a relation is reflexive, symmetric, and transitive, then it is called an equivalence relation. Equivalence relations will occur frequently in our discussions, with the following being one of the most fundamental.
Modular Arithmetic
33
Let n ∈ N and a, b ∈ Z. Then we say that a is congruent to b modulo n or that a is congruent to b mod n if n divides a − b. We adopt the notation a ≡ b mod n or a ≡n b or a ≡ b to indicate that a is congruent to b mod n. If we take n = 2, then a ≡ b mod 2 if and only if 2 divides a − b in other words, if and only if a and b are both even or both odd. Theorem 1.5.3 Let n ∈ N. Then ≡n is an equivalence relation on Z. Proof. We must show that ≡n is reflexive, symmetric, and transitive. (i) ≡n is reflexive. For all a ∈ Z, a − a = 0 and n | 0. Therefore, a ≡n a. (ii) ≡n is symmetric. Let a, b ∈ Z and a ≡n b. This means that n divides a − b. But then n divides b − a so that b ≡n a. (iii) ≡n is transitive. Let a, b, c ∈ Z, a ≡n b and b ≡n c. Then n divides a − b and n divides b − c. This means that there exist x, y ∈ Z with nx = a − b ny = b − c. Hence, n(x + y) = nx + ny = a − c. In other words, n divides a − c and a ≡n c.
Let I be a nonempty set. For each i ∈ I , let Xi be a nonempty set. Then X = {Xi | i ∈ I } is a family of sets indexed by I or with index I . A partition of a nonempty set X is a family {Xi | i ∈ I } of nonempty subsets of X such that (i) X = ∪i∈I Xi . (ii) i = j ⇒ Xi ∩ Xj = ∅. The sets Xi are referred to as the parts of the partitition. Example 1.5.4 Let X = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}, X1 = {1, 3}, X2 = {2, 4, 6, 8, 10}, X3 = {5}, X4 = {7, 9}. Then {Xi | i = 1, 2, 3, 4} is a partition of X . Equivalence relations and partitions are closely related concepts.
34
Introduction to Applied Algebraic Systems
Lemma 1.5.5 Let R be an equivalence relation on a nonempty set X . For each x ∈ X , let Cx = {z ∈ X | x R z}. Then, (i) for all x ∈ X , x ∈ Cx , (ii) for all x, y ∈ X , Cx ∩ Cy = ∅ =⇒ Cx = Cy , (iii) X = ∪x∈X Cx , (iv) PR = {Cx | x ∈ X } is a partition of X . Proof. (i) Let x ∈ X . Then we have x R x, since R is reflexive. Thus, x ∈ Cx and Cx = ∅. (ii) Let x, y, z ∈ X and z ∈ Cx ∩ Cy . Then w ∈ Cy =⇒ x R z, y R z, y R w =⇒ x R z, z R y, y R w =⇒ x R y, y R w =⇒ x R w =⇒ w ∈ Cx .
since R is symmetric since R is transitive since R is transitive
Consequently, Cy ⊆ Cx . Repeating the previous argument with the roles of x and y interchanged, we can similarly show that Cx ⊆ Cy . Thus, Cx = Cy . Parts (iii) and (iv) follow immediately from parts (i) and (ii). If R is an equivalence relation on a nonempty set X and x ∈ X , then Cx = {z ∈ X | x R z} is called the (equivalence) class of x with respect to R. If R is ≡n , then it is customary to adopt the notation Cx = [x]n
or
Cx = [x].
It is important to develop an understanding of these equivalence classes. Example 1.5.6 (1) The equivalence relation ≡2 has just two classes: [0] = {0, ±2, ±4, . . .} and [1] = {±1, ±3, . . .}.
Modular Arithmetic
35
(2) The equivalence relation ≡3 has three classes: [0] = {0, ±3, ±6, . . .}, [1] = {. . . , −5, −2, 1, 4, 7, . . .}, [2] = {. . . , −4, −1, 2, 5, . . .}. (3) For n ∈ N and a ∈ Z, the class of a is [a] = {a + kn | k ∈ Z}. Note that, for example, [0]2 = [2]2 = [−2]2 = [4]2 = . . . [2]3 = [−1]3 = [5]3 = [8]3 = . . . [a]n = [a + n]n = [a − n]n = . . . . Lemma 1.5.7 Let P = {Xi | i ∈ I } be a partition of X . Let a relation R = RP be defined on X by a R b ⇐⇒a and b lie in the same part of the partition P . Then R is an equivalence relation on X . Proof. Clearly, R is reflexive, symmetric, and transitive.
Theorem 1.5.8 Let X be a nonempty set, R an equivalence relation on X , and P a partition of X . Then, RPR = R
and PRP = P .
R → PR
and
Thus the mappings P → RP
are inverse bijections from the set of equivalence relations to the set of partitions and from the set of partitions to the set of equivalence relations on X . Proof. Exercise.
Exercises 1.5 In questions 1 through 8 a relation is defined on a set X . In each case, determine whether the relation is reflexive, symmetric, or transitive.
36
Introduction to Applied Algebraic Systems
1. X = Z, a R b ⇐⇒ a | b. 2. X = Z, a R b ⇐⇒ a + b = 10. 3. X = Z, a R b ⇐⇒ a − b > 0. 4. X = Z, a R b ⇐⇒ 3 | a + b. 5. X = Z × (Z\{0}), (a, b) R (c, d) ⇐⇒ ad = bc. 6. X = R × R, (a, b) R (c, d) ⇐⇒ (a − c)2 + (b − d)2 ≤ 1. 7. X = R × R, (a, b) R (c, d) ⇐⇒ ac + bd = 0. 8. X = {1, 2, . . . , 9}, a R b ⇐⇒ (a, b) > 1. 9. Define the relation R on Z × Z by (a, b) R (c, d) ⇐⇒ b − a = d − c. Show that R is an equivalence relation and describe the classes of R geometrically. 10. Define the relation R on R × R by (a, b)R (c, d) ⇐⇒ a 2 + b 2 = c 2 + d 2 . Show that R is an equivalence relation and describe the classes of R geometrically. 11. Define the relation R on X = {1, 2, . . . , 20} by a R b ⇐⇒a and b have the same prime divisors. Show that R is an equivalence relation. Describe the classes of the corresponding partition of X . 12. Describe a partition of the set of all prime numbers into four classes.
1.6 Modular Arithmetic
The relation ≡n is the main focus of our attention in this chapter. Here we begin to develop some of its properties. Lemma 1.6.1 Let n ∈ N, a ∈ Z, and a = qn + r where 0 ≤ r < n. Then r is the unique element in [a]n ∩ [0, n − 1]. In particular, a ≡ r mod n. Proof. We have
a − r = qn,
Modular Arithmetic
37
which means that a ≡n r and r ∈ [a]n . Hence, r ∈ [a]n ∩ [0, n − 1]. To see that r is unique in this regard, let r ∈ [a]n ∩ [0, n − 1]. Then, a ≡n r so that n | a − r . Let a − r = q n where q ∈ Z. Then we have a = qn + r
and a = q n + r
where 0 ≤ r, r < n. By the uniqueness property of the division algorithm, it follows that q = q and r = r . Therefore, r is unique. We will denote by Zn the set of distinct classes of ≡n . Thus, Zn = {[0], [1], . . . , [n − 1]}.
Note that | Zn | = n. We refer to Zn as the (set of) integers modulo n. It is the next result that enables us to consider Zn as an algebraic structure. Lemma 1.6.2 Let a, b, c, d ∈ Z and n ∈ N. Let a ≡n b and c ≡n d. Then, (i) a + c ≡n b + d, (ii) a − c ≡n b − d, (iii) ac ≡n bd. Proof. By the hypothesis, there exist q, q ∈ Z such that a − b = qn,
c − d = q n.
Then, (a + c) − (b + d) = (a − b) + (c − d) = qn + q n = (q + q )n. Thus, n | (a + c) − (b + d) and so a + c ≡n b + d. This establishes part (i), and the proof of part (ii) is similar. Also, ac − bd = ac − bc + bc − bd = (a − b)c + b(c − d) = qnc + bq n = (qc + bq )n. Thus, n | ac − bd and ac ≡n bd. This establishes part (iii).
38
Introduction to Applied Algebraic Systems
Corollary 1.6.3 Let k, n ∈ N and a, b ∈ Z be such that a ≡n b. Then (i) ±ka ≡n ±kb, (ii) a k ≡n b k . The observations in Lemma 1.6.2 can be described by saying that the equivalence relation ≡n respects the operations of addition and multiplication in Z. It is for this reason that we also refer to the relation ≡n not just as the equivalence relation modulo n but as the congruence relation modulo n, and that we refer to the classes of ≡n as the congruence classes mod n. The fact that ≡n respects the addition and multiplication in Z makes it possible for us to define new operations of addition and multiplication in Zn as follows: For all [a]n , [b]n ∈ Zn , [a]n + [b]n = [a + b]n [a]n [b]n = [ab]n . Since the operations of addition and multiplication involve the combination of two classes, we refer to them as binary operations. It is easy to see that we can deal with multiples of elements and powers of elements in the natural way: k[a]n = [ka]n
(k ∈ Z)
([a]n )k = [a k ]n
(k ∈ N).
When [a]n = [0]n , we define ([a]n )0 = [1]n . All the familiar laws of exponents will now hold. Example 1.6.4 Here are some examples of “arithmetic” in Zn : [3]7 + [6]7 = [9]7 = [2]7 [10]6 + [13]6 = [23]6 = [5]6 [3]7 · [6]7 = [18]7 = [4]7 [10]6 · [13]6 = [130]6 = [4]6 . Notice that in this new “arithmetic” it does not matter whether we add [3]7 and [6]7 or [10]7 and [−15]7 . Since [3]7 = [10]7 and [6]7 = [−15]7 , the result will be the same: [10]7 + [−15]7 = [−5]7 = [2]7 . Similarly, we may use [−2]6 instead of [10]6 and [−11]6 in place of [13]6 : [−2]6 · [−11]6 = [22]6 = [4]6 .
Modular Arithmetic
39
The answer is the same. In other words the rule for the addition (multiplication) of the classes [a]n and [b]n is independent of the choice of the “representatives” that we work with from [a]n and [b]n . Thus, if [a]n = [a ]n and [b]n = [b ]n , then [a]n + [b]n = [a + b]n = [a + b ]n = [a ]n + [b ]n and likewise [a]n [b]n = [a ]n [b ]n . The new addition and multiplication depend only on the classes and not on any particular choice of representatives. We say that formally as follows: Lemma 1.6.5 Addition and multiplication in Zn are well defined. Theorem 1.6.6 For all n ∈ N, the (binary) operations + and · in Zn obey the following laws: (1) [a] + [b], [a] · [b] ∈ Zn .
Closure
(2) [a] + ([b] + [c]) = ([a] + [b]) + [c], [a]([b][c]) = ([a][b])[c]. Associativity (3) [a] + [b] = [b] + [a], [a] · [b] = [b] · [a].
Commutativity
(4) [a] + [0] = [a], [a] · [1] = [a].
Zero and identity
(5) [a]([b] + [c]) = [a][b] + [a][c].
Distributivity
(6) For all [a] ∈ Zn , ∃ a unique [b] ∈ Zn with [a] + [b] = [0]—namely, [−a].
Existence of inverse
Proof. Exercise.
It is worth noting that Theorem 1.6.6(1) holds trivially because of the discussion preceding the theorem. However, closure is not always so obvious or even true when introducing operations on a set. For example, if we consider the operation of division on the set of nonzero integers, then it is well defined but the result of dividing one integer by another may be a proper fraction rather than another integer.
40
Introduction to Applied Algebraic Systems
When the modulus n is clear, we write simply a or [a] for [a]n . Thus, for example, we write Zn = {0, 1, 2, . . . , n − 1}.
or, Z7 = {0, 1, 2, 3, 4, 5, 6}.
This greatly simplifies the notation, but we must try to ensure that there is no ambiguity. For this reason, and to add emphasis, we will still use the class notation [a] or [a]n when appropriate. We call [0] the zero element of Zn and [1] the identity or unity element of Zn . Note that these elements behave just like 0 and 1 in Z: [0] + [a] = [a] + [0] = [a] [0] · [a] = [a] · [0] = [0] [1] · [a] = [a] · [1] = [a] for all [a] ∈ Zn . For small values of n we can completely describe the addition and multiplication by means of “tables”. Example 1.6.7 (1) Z2 = {0, 1}. + 0 1
0 0 1
· 0 1
1 1 0
0 0 0
1 0 1
(2) Z3 = {0, 1, 2}. + 0 1 2
0 0 1 2
1 1 2 0
2 2 0 1
· 0 1 2
0 0 0 0
1 0 1 2
2 0 2 1
We refer to the rules of addition and multiplication in Zn as modular arithmetic. Modular arithmetic can be used to simplify many calculations in regular arithmetic. An interesting and sometimes useful rule of arithmetic states that an integer (written in standard form to the base 10) is divisible by 3 or 9 if and only if the sum of its digits is divisible by 3 or 9, respectively. For example, the sum of the digits of n = 2543694 is 33, which is divisible by 3 but not 9.
Modular Arithmetic
41
Therefore, n is divisible by 3 but not 9. The explanation for this can be found easily by using modular arithmetic. We first note that 10 = 9 + 1 ≡ 1 mod 9 or 3 100 = 99 + 1 ≡ 1 mod 9 or 3 1000 = 999 + 1 ≡ 1 mod 9 or 3 and so on. Therefore, if x = xn xn−1 · · · x2 x1 x0 is an integer with digits xn , xn−1 , . . . , x1 , x0 then x = xn 10n + xn−1 10n−1 + · · · + x1 10 + x0 ≡ xn · 1 + xn−1 · 1 + · · · + x2 · 1 + x1 · 1 + x0 mod 9 or 3 ≡ xn + xn−1 + · · · + x1 + x0 mod 9 or 3. Thus, x ≡ 0 mod 9 or 3 if and only if xn + xn−1 + · · · + x1 + x0 ≡ 0 mod 9 or 3. Consequently 9 (or 3) divides x if and only if it divides the sum xn + · · · + x2 + x1 + x0 of its digits. Another feature of modular arithmetic is that certain calculations that may appear quite daunting at first glance turn out to be relatively simple. The secret is to spot integers that can be reduced to much simpler integers. For example, suppose we want to calculate the least positive remainder of 2350 on division by 34. We calculate a few powers of 2: 22 = 4, 23 = 8, 24 = 16, 25 = 32. Now 25 = 32 ≡ −2 mod 34. Therefore, every time we see 25 we can replace it by −2: 2350 = (25 )70 ≡ (−2)70 = 270 ≡ (25 )14 ≡ (−2)14 = 214 = (25 )2 · 24 ≡ (−2)2 · 24 = 26 = 25 · 2 ≡ (−2) · 2 ≡ −4 mod 34 ≡ 30 mod 34. From this, it follows that 30 is the remainder when 2350 is divided by 34.
42
Introduction to Applied Algebraic Systems
The same idea works for other products. For example, 7642 ≡9 7 + 6 + 4 + 2 = 19 ≡9 1 8741 ≡9 8 + 7 + 4 + 1 = 20 ≡9 2 so that 7642 × 8741 ≡9 1 × 2 = 2. Thus, for example, the least positive remainder of 7642 × 8741 upon division by 9 is 2. Modular arithmetic has many interesting applications, as will become apparent later. However, even at this stage we can see how it can be used to study questions that don’t, at first sight, appear to have anything to do with modular arithmetic. By a Diophantine equation, we mean any equation with integer coefficients in variables x, y, z, . . . (such as x 2 + 2y 3 + 3z 5 = 0). The search for integer or rational solutions to Diophantine equations is a fascinating and important topic that we can only mention in passing here. A few of the exercises will indicate how modular arithmetic can sometimes help. Exercises 1.6 1. Which of the following integers are related with respect to the given modulus? −14, −12, −5, 0, 1, 21, 32, 462 (i) mod 3. (ii) mod 5. (iii) mod 6. 2. Match the products (in Z12 ) [4][5], [5][6], [5][7], [9][9], [13][15] to the following classes [3], [−4], [−3], [114], [−1]. 3. Let a = 11, 736, 412 and b = 12, 543. Without multiplying out or doing long division, show the following: (i) (ii) (iii) (iv)
ab ≡ 6 mod 10. ab ≡ 1 mod 5. ab ≡ 6 mod 9. The remainder on division of a by 9 is 7.
Modular Arithmetic
43
4. Show that (i) 2213 ≡ 1 mod 7. (ii) 7108 ≡ 1 mod 12. (iii) 3333 ≡ 8 mod 31. 5. Show that, for all n ∈ N, 10n ≡ (−1)n mod 11. 6. Show that if a = xn xn−1 · · · x2 x1 in base 10 notation, then a ≡ x1 − x2 + x3 − · · · + (−1)n−1 xn mod 11. 7. Show that 43, 171, 234 ≡ 7 mod 11. 8. Let m be a positive integer. Show that 3 divides 22m+1 + 1 and 22m − 1. m
m+1
9. Show that if 22 ≡ −1 mod p, then 22 m (22
10. Show that Use Exercise 9.)
n + 1, 22
≡ 1 mod p.
+ 1) = 1 for all m, n ∈ N with m = n. (Hint:
11. Construct addition and multiplication tables for Z5 and Z6 . 12. For which nonzero elements x ∈ Z12 does there exist a nonzero element y with xy = 0? What about in Z5 and Z7 ? 13. Let p be a prime and k be an integer such that 0 < k < p. Show that p ≡ 0 mod p k where
p k
denotes the kth binomial coefficient.
14. Let f and g be the mappings of Z5 into itself defined by f (x) = x 3 + 2x 2 + 3 g (x) = x 3 − 3x 2 + 5x − 2
(x ∈ Z5 ) (x ∈ Z5 ).
Show that f = g . 15. Let R be the equivalence relation on Z defined by a R b ⇐⇒ a and b are divisible by the same primes. Show that R respects multiplication but not addition.
44
Introduction to Applied Algebraic Systems
16. An element a ∈ Zn is a quadratic residue if the equation x 2 = a has a solution in Zn . List the quadratic residues in (i) Z3 (ii) Z6 (iii) Z7 . 17. (i) Show that the only solution to the equation x 2 + y 2 = 0 in Z3 is x = y = 0. (ii) Let k ∈ Z be such that (3, k) = 1. Show that there are no integer solutions to the equation x 2 + y 2 = 3k. 18. (i) Show that the only solution to the equation x 2 + y 2 = 0 in Z7 is x = y = 0. (ii) Let k ∈ Z be such that (k, 7) = 1. Show that there are no integer solutions to the equation x 2 + y 2 = 7k. 1.7 Equations in Zn
Let a ∈ Z, n ∈ N, and f (x) = ak x k + ak−1 x k−1 + · · · + a1 x + a0 be a polynomial with integer coefficients. Suppose that f (a) ≡ 0 mod n. Then, for all b ≡ a mod n we will have f (b) ≡ f (a) ≡ 0 mod n. This leads us to consider polynomials over Zn . Indeed, if we are going to calculate modulo n, then we should really treat the coefficients as elements of Zn so that we could write f (x) = [ak ]x k + [ak−1 ]x k−1 + · · · + [a1 ]x + [a0 ] as a polynomial with coefficients in Zn . Then, for all [a] ∈ Zn , f ([a]) = [ak ][a]k + [ak−1 ][a]k−1 + · · · + [a1 ][a] + [a0 ] = [ak a k + ak−1 a k−1 + · · · + a1 a + a0 ] = [f (a)]. Thus, f (a) ≡ 0 mod n ⇐⇒ f ([a]) = 0
in Zn .
So we speak of the class [a] as being a solution of the congruence or zero of the congruence f (x) ≡ 0 mod n or a root or zero of the polynomial f (x) ∈ Zn [x].
Modular Arithmetic
45
The number of solutions (modulo n) to this congruence then means the number of distinct classes (that is, distinct elements of Zn ) that are solutions. Naturally we begin the study of equations in Zn with the consideration of linear equations. Theorem 1.7.1 Let a ∈ Z, n ∈ N. Then the following statements are equivalent: (i) (ii) (iii) (iv) (v)
(a, n) = 1. ∃ x ∈ Z with ax ≡ 1 mod n. ∃ x ∈ N with ax ≡ 1 mod n. ∃ [x] ∈ Zn with [a][x] = [1]. ∃ a unique [x] ∈ Zn with [a][x] = [1].
Proof. (i) implies (ii). By Corollary 1.3.8, there exist x, y ∈ Z with ax +ny = 1. In other words, ax − 1 = n(−y) so that ax ≡ 1 mod n. (ii) implies (iii). Let x ∈ Z be such that ax ≡ 1 mod n and let k ∈ N be such that x + kn > 0. Then, a(x + kn) = ax + akn ≡ 1 + 0 mod n ≡ 1 mod n. (iii) implies (iv). By the definition of multiplication in Zn it is clear that (iii) implies the existence of an [x] ∈ Zn with [a][x] = [1]. Equivalence of (iv) and (v). Clearly (v) implies (iv). Now suppose that we have elements [x], [y] ∈ Zn such that [a][x] = [1] = [a][y]. Then, [x] = [x] · [1] = [x][a][y] = [a][x][y] = [1] [y] = [y]. Thus the uniqueness in part (v) comes as a bonus. (iv) implies (ii). This is obvious. (ii) implies (i). Let x ∈ Z be such that ax ≡ 1 mod n. Then there must exist q ∈ Z with ax − 1 = qn or ax + n(−q) = 1. By Corollary 1.3.8, this means that (a, n) = 1, as required. It follows that each of the statements implies all the other statements and therefore they are all equivalent. The results of Theorem 1.7.1 can be generalized as follows: Corollary 1.7.2 Let a ∈ Z and n ∈ N. Then the following statements are equivalent: (i) (a, n) = 1. (ii) ax ≡ b mod n has a solution for all b ∈ Z. (iii) [a][x] = [b] has a unique solution in Zn , for all [b] ∈ Zn .
46
Introduction to Applied Algebraic Systems
Proof. (i) implies (ii). By Theorem 1.7.1, there exists z ∈ Z with az ≡ 1 mod n. Consequently, a(zb) = (az)b ≡n 1 · b = b. (ii) implies (iii). It follows immediately from (ii) and the definition of Zn and the multiplication in Zn that every equation of the form [a][x] = [b] will have a solution in Zn . To show that the solution will be unique, first let [z] be a solution to the equation [a][z] = [1]. Now let [b], [x], [y] ∈ Zn be such that [a][x] = [b] = [a][y]. Then, [x] = [1][x] = [z][a][x] = [z][a][y] = [1][y] = [y] and the solution is indeed unique. (iii) implies (i). Taking b = 1, the hypothesis implies that there exists [x] ∈ Zn with [a][x] = [1]. The claim then follows from Theorem 1.7.1. An element [a] in Zn is said to be invertible or to be a unit if there exists [x] ∈ Zn such that [a][x] = [1]—that is, if it satisfies the condition in part (iv) of Theorem 1.7.1. Of course, when we identify Zn = {0, 1, . . . , n − 1}, then we would speak of the element a as being invertible (it being understood that we mean in Zn or modulo n). Although we use part (iv) of Theorem 1.7.1 to define invertible elements, we use part (i) to find them. Example 1.7.3 The invertible elements in Z7 are 1, 2, 3, 4, 5, and 6, whereas the invertible elements in Z10 are 1, 3, 7, and 9. Lemma 1.7.4 Let p be a prime number. Then the invertible elements in Zp are 1, 2, 3, . . . , p − 1. Proof. Let a ∈ Zp . Since p is a prime number, (a, p) = 1 if and only if a ∈ {1, 2, 3, . . . , p − 1}. In other words, the invertible elements in Zp are simply 1, 2 . . . , p − 1. If [a] ∈ Zn is invertible, then we write [a]−1 for the unique element of Zn with the property that [a][a]−1 = [1] and we call [a]−1 the inverse of [a]. When [a] is invertible, this provides an elegant way of writing the solution to the equation [a][x] = [b]. For we have [a]([a]−1 [b]) = ([a][a]−1 )[b] = [1][b] = [b]
Modular Arithmetic
47
so that the unique solution to the equation [a][x] = [b] is given by [x] = [a]−1 [b]. Finding the inverse of an invertible element [a] ∈ Zn is extremely easy. Since [a] is invertible, we know from Theorem 1.7.1 that (a, n) = 1 and so, by the Euclidean algorithm, there exist x, y ∈ Z with ax + ny = 1. From this we see that ax ≡ 1 mod n which means that [a][x] = [1] in Zn . Thus, [x] = [a]−1 and we can use the extended Euclidean algorithm to calculate inverses in Zn . Lemma 1.7.5 The set of units in Zn is closed under multiplication. Proof. Let a and b be invertible elements in Zn . By Theorem 1.7.1, this means that there exist x, y ∈ Z with ax ≡n 1
and by ≡n 1.
Consequently, (ab)(xy) = (ax)(by) ≡n 1 · 1 = 1. Thus, ab is also invertible.
We will denote the set of units in Zn by Z∗n . Thus Zn∗ = {[a] ∈ Zn | [a] is invertible}. It is interesting to take a moment to see what it means for a nonzero element a in Zn not to be invertible. By Theorem 1.7.1, this means that we must have d = (a, n) > 1. Then dn ∈ N and 1 ≤ dn < n so that [ dn ] = 0. However, we also have da ∈ Z, from which it follows that [a]
n
n a = a = n = [0]. d d d
Thus there exists a nonzero solution to the equation [a][x] = [0]. This, of course, is something that can never happen in “usual” arithmetic. We have a special name for such elements. If a ∈ Zn , a = 0 and there exists b ∈ Zn with b = 0 such that ab = 0, then we say that a is a zero divisor.
48
Introduction to Applied Algebraic Systems
Corollary 1.7.6 Let n ∈ N, n > 1. (i) Zn has zero divisors if and only if n is not a prime. (ii) Let a ∈ Zn , a = 0. Then a is a zero divisor if and only if (a, n) > 1. (iii) Let a ∈ Zn , a = 0. Then a is a zero divisor if and only if it is not invertible. Proof. Exercise.
Example 1.7.7 The noninvertible elements in Z12 are 0, 2, 3, 4, 6, 8, 9, and 10, and we have 2 · 6 = 3 · 4 = 6 · 10 = 8 · 9 = 0. We are all so familiar with the cancellation law in the arithmetic of Z that we take it for granted that if ax = ay and a = 0, then x = y. This law does not always hold in Zn . For instance, we have, in Z12 , that [3] = [6] and [4] = 0. But, [4][3] = [12] = [0] = [24] = [4][6]. However, invertible elements in Zn can always be cancelled. Lemma 1.7.8 Let a, x, y ∈ Z, n ∈ N, and (a, n) = 1. Then ax ≡ ay mod n =⇒ x ≡ y mod n. Equivalently, if [a], [x], [y] ∈ Zn and [a] is invertible, then [a][x] = [a][y] =⇒ [x] = [y]. Proof. Since (a, n) = 1, we know from Theorem 1.7.1 that there is an element b ∈ Z with ab ≡ 1 mod n. Consequently, ax ≡n ay =⇒ bax ≡n bay =⇒ 1 · x ≡n 1 · y =⇒ x ≡n y.
Our focus has been on solutions to ax ≡n b where (a, n) = 1. However, solutions can also exist when (a, n) > 1. Lemma 1.7.9 Let a, b ∈ Zn . (i) ax ≡ b mod n has a solution if and only if (a, n) divides b. (ii) If d = (a, n) divides b, then ax ≡ b mod n has d solutions in the interval 1 ≤ x ≤ n. Proof. Exercise.
One interesting application of modular arithmetic is the construction of certain kinds of patterns in arrays of numbers. A latin square is an n ×n matrix
Modular Arithmetic
49
of n symbols arranged in such a way that each symbol appears exactly once in each row and column. This idea is explored further in exercises 15 and 16. Exercises 1.7 1. Find all solutions to the following equations: (i) x 2 + 2x + 1 = 0 in Z8 . (ii) x 3 + 2x 2 + 4 = 0 in Z5 . 2. List the invertible elements in Z6 , Z8 , Z11 , and Z12 . 3. Find the inverse of each invertible element in Z15 . 4. Use the fact that 23 × 107 − 41 × 60 = 1 to find the inverse of 23 in Z41 . 5. Find the inverse of 17 ∈ Z95 . 6. Find the solution to each of the following congruences ax ≡ b by finding [a]−1 and calculating [a]−1 [b]: (i) 3x ≡ 7 mod 10. (ii) 4x ≡ 5 mod 9. 7. Let a, b ∈ Zn . Show that (i) a invertible =⇒ a −1 invertible and (a −1 )−1 = a (ii) a, b invertible =⇒ ab invertible and (ab)−1 = b −1 a −1 . 8. Let p be a prime and a ∈ Zp . (i) Show that a = a −1 ⇐⇒ a 2 = 1. (ii) Deduce that a = a −1 ⇐⇒ a = 1 or p − 1. 9. (Wilson’s Theorem) Show that for all primes p, (p − 1)! ≡ −1 mod p. (Hint: Use Exercise 8 to pair off elements and their inverses in the product (p − 1)!.) 10. Solve the following system of equations in Z3 : x − 2y = 1 x − y = 1.
50
Introduction to Applied Algebraic Systems
11. (i) Solve the following system of equations in Q: x − 2y = 1 2x − y = 1. (ii) Does the system in (i) have a solution in Z3 ? Z5 ? 12. Solve the following system of equations in Z5 : 3x + y + 2z = 3 x + y + 2z = 2 2x + y + 4z = 3. 13. Evaluate the following determinant in (i) Q, (ii) Z4 , (iii) Z5 : 3 1 2 2 5 4 −2 1 3 ∗ 14.
Solve 81x ≡ 105 mod 879.
15. Let A = (aij ) be the n × n matrix where aij = (i − 1) + (j − 1)
(i, j ∈ Zn ).
Show that A is a latin square. 16. Let p be a prime. Let At (t ∈ Zp ∗ ) denote the p × p matrix over Zp with the (i, j)th entry equal to ti + j (i, j ∈ Zp ). (i) With p = 5, calculate A1 , A2 , A3 . (ii) Show that each At (with arbitrary p, t ) is a latin square. (iii) Show that for all a, b ∈ Zp and any distinct t , u ∈ Zp ∗ , there is at most one position (i, j) such that (At )ij = a
and
(Au )ij = b.
(Such latin squares are said to be orthogonal.)
Modular Arithmetic
51
1.8 Bar codes
Bar codes are based on the simple yet clever observation that by representing the digit one by a bar line and the digit zero by a bar space it is possible to represent any sequence of ones and zeros (and therefore any number) by a sequence of bar lines and bar spaces. Many items passing through our hands, from library books to grocery store items, are labeled with bar codes. These bar codes are simply coded sequences of numbers that can be read by optical scanners. They can be used to keep track of inventory, to speed the tallying of grocery bills, or as a security check. It is a technology that we encounter almost everywhere in our lives. The first bar code was developed by Bernard Silver and Norman Woodland in 1948. Bar codes are now only one example of a class of techniques that go under the title of symbologies. An interesting history of the development (and near failure) of bar codes other symbologies (such as the bull’s-eye “circular” bar system) can be found in [Nel]. The code that appears on supermarket items is called the universal product code (UPC ) and it consists of a sequence of 12 digits, each of which is drawn from {0, 1, 2, . . . , 9}. In other words, it is a vector in Z10 12 . The first 11 digits contain information concerning the producer and the product. The 12th digit is a check digit. The 12th digit is chosen to ensure that the dot product of the code with the check vector (31 31 31 31 31 31) is congruent to 0 mod 10. In the first few pages of any recent book you will find the International Standard Book Number (ISBN ). For books published prior to 2007, this is a sequence of 10 digits chosen from {0, 1, 2, . . . , 9, X } where the symbol X represents the number 10. The first nine digits carry information concerning the book and the publisher. The 10th digit is a check digit to ensure that when the dot product is formed with the check vector (10 987654321), the answer is congruent to 0 mod 11. This system is now referred to as ISBN-10. In 2007, anticipating a shortage in the availability of ISBN-10 code numbers to cope with the increasing volume of books, a new system, ISBN-13, was introduced. This is a sequence of 13 digits chosen from {0, 1, 2, . . . , 9}. The dot product of the 13 digits with the check vector (1 3 1 3 1 3 1 3 1 3 1 3 1) must be congruent to 0 mod 10. The first 12 digits carry information concerning the book and the publisher. The last digit is a check digit. The 13th digit must equal the difference between 10 and the dot product of the first 12 digits with the check vector (1 3 1 3 1 3 1 3 1 3 1 3) and reduced modulo 10. For example, suppose that we wish to calculate the check digit for the ISBN-13 number: 978-0-19-536387. First we calculate P =9×1+7×3+8×1+0×3+1×1+9×3+5×1+3×3 + 6 × 1 + 3 × 3 + 8 × 1 + 7 × 3 = 124. Now we reduce 124 modulo 10 to obtain 4 and finally subtract 4 from 10 to obtain 6. If the result at this stage was 10, then we would reduce it modulo 10
52
Introduction to Applied Algebraic Systems
to 0. However, the result this time is 6, so no further reduction is required and we have x = 4. Note that ISBN-13 will not detect all transpositions. In this example, the adjacent digits 3 and 8 differ by 5, so that if they are transposed, then we obtain 3 × 1 + 8 × 3 = 27 instead of 3 × 3 + 8 × 1 = 17 as the contributions from these components to the dot product. Since 27 and 17 are congruent modulo 10, the transposition will not alter the result of the calculation and therefore will be recognized. Example 1.8.1 (1) Consider the UPC number (0 47400 11710 5). The dot product with the check vector is (047400117105) · (31 31 31 31 31 31) = 0 + 4 + 21 + 4 + 0 + 0 + 3 + 1 + 21 + 1 + 0 + 5 = 0 mod 10. (2) Consider the ISBN-10 number (0672215012). The dot product of this vector with the check vector (10 9 8 7 6 5 4 3 2 1) is (0672215012) · (10 987654321) = 0 + 54 + 56 + 14 + 12 + 5 + 20 + 0 + 2 + 2 = 165 ≡ 0 mod 11. The purpose of the final check digit is to detect errors in reading the code. Suppose that the code in Example 1.8.1 (1) was read as (047400171105). Note that the second 7 has been interchanged with the preceding 1. The dot product then becomes (047400171105) · (313131313131) = 0 + 4 + 21 + 4 + 0 + 0 + 3 + 7 + 3 + 1 + 0 + 5 = 48 ≡ 8 mod 10. A scanning device would signal that an unacceptable code was recorded and that the code should be reread or checked. The error-detecting component of these systems consists of a check vector and a modulus. Clearly, some choices will be better than other choices. The UPC system will certainly detect any single-digit error. For instance, suppose that the vector a = (a1 a2 . . . ai . . . a12 ) is read as b = (a1 a2 . . . bi . . . a12 )—that is, the ith digit is read as bi instead of ai . Let us assume that i is odd. A similar discussion applies if i is even. Since a is a proper UPC
Modular Arithmetic
53
code vector, we have 3a1 + a2 + 3a3 + · · · + 3ai + · · · a12 ≡ 0 mod 10. Consequently, when we apply the check vector to b we obtain 3a1 + a2 + 3a3 + · · · + 3bi + · · · = 3a1 + a2 + 3a3 + · · · + 3ai + · · · + a12 + 3bi − 3ai ≡ 0 + 3(bi − ai ) mod 10 ≡ 3(bi − ai ) mod 10. But 0 ≤ ai , bi ≤ 9. So, the only way that the result 3(bi − ai ) can be congruent to 0 mod 10 is if bi = ai . Thus, a single error will always be detected. Of course, multiple errors might compensate for each other. A very common error, at least for the human eye, is the transposition of two digits. For example, 0195056612 is read as 0159056612. The UPC system will detect most transpositions. Let a = (a1 a2 . . . ai ai+1 . . . a12 ) b = (a1 a2 . . . ai+1 ai . . . a12 ) where a is a legitimate UPC code. Again we will assume that i is odd, although a similar argument will apply when i is even. When i is odd, we have b · (3131 . . . 31) = 3a1 + a2 + · · · + 3ai+1 + ai + · · · + a12 = 3a1 + a2 + · · · + 3ai + ai+1 + · · · + a12 − 2ai + 2ai+1 ≡ 2(ai+1 − ai ) mod 10. Thus the error will pass undetected if 2(ai+1 − ai ) ≡ 0 mod 10, which is equivalent to ai+1 −ai ≡ 0 mod 5 or, since 0 ≤ ai , ai+1 ≤ 9, to | ai+1 −ai |= 5. The ISBN-10 system will detect all single-digit errors and also all interchanges, even of digits that are not adjacent. Let a = (a1 a2 . . . ai . . . aj . . . a10 ) b = (a1 a2 . . . aj . . . ai . . . a10 ) where a is a legitimate ISBN-10 code. Then b · (10 9 8 · · · 1) = 10a1 + · · · + maj + · · · + nai + · · · + a10 = 10a1 + · · · + mai + · · · + naj + · · · a10 + (m − n)aj − (m − n)ai ≡ (m − n)(aj − ai ) mod 11.
54
Introduction to Applied Algebraic Systems
But 1 ≤ n < m ≤ 10 so that 1 ≤ m − n ≤ 9 and (m − n, 11) = 1. Thus m − n is invertible mod 11 so that (m − n)(aj − ai ) ≡ 0 mod 11 if and only if aj − ai ≡ 0 mod 11. Since 0 ≤ ai , aj ≤ 9, aj − ai ≡ 0 mod 11 if and only if ai = aj . Thus, all transpositions will be detected. The error detecting capabilities of ISBN-13 are similar to those of the UPC code. The error-detecting capabilities of bar codes are summarized in the following result. Theorem 1.8.2 Let a bar-coding scheme consist of those vectors in Zm n for which the dot product with the check vector c = (c1 , . . . , cm ) is congruent to zero modulo n. (i) All single-digit errors will be detected if and only if (ci , n) = 1 for all 1 ≤ i ≤ m. (ii) All transpositions will be detected if and only if (ci − cj , n) = 1 for all 1 ≤ i < j ≤ m. Armed with this information regarding the basic properties of bar code systems, let us now see how to create a system of our own. Suppose that we would like to label up to 2 million items (library cards, coffee club members, etc.). Then we want to have at least 7 digits plus a check vector, for a total of 8 digits. So we want to work with 8-tuples of the digits 0, 1, 2, . . . , 9. Next, we want to choose a modulus. Clearly, the modulus should be greater than 9 (otherwise the system would be unable to catch some single-digit errors), and in the previous discussion we saw that choosing a prime improves the errorchecking ability. This makes 11 a very natural choice. Next, we want to choose a check vector c = (c1 c2 . . . c8 ) such that (ci , 11) = 1 and (ci − cj , 11) = 1. The vector c = 12345678 will do just fine. Our set of code vectors will be C = {a = (a1 a2 . . . a8 ) ∈ Z8 | 0 ≤ ai ≤ 9, a · c = 0}. Each item or person is now given a 7-digit number to which a check digit is added, making 8 digits in total. For example, suppose that we give an item the code number 7654321. This is then extended to a vector in C by adding a check digit x to give 7654321x, where x must satisfy 7654321x · 12345678 ≡ 0 mod 11. That is, 7 · 1 + 6 · 2 + 5 · 3 + 4 · 4 + 3 · 5 + 2 · 6 + 1 · 7 + x · 8 ≡ 0 mod 11,
Modular Arithmetic
55
which reduces to 8x + 7 ≡ 0 mod 11. Solving this equation, we find that x = 6. Thus, our item is given the code number 76543216. To convert this into a bar code, we first represent each digit by a sequence of ones and zeros and then represent each one by a solid bar and each zero by a space. Bar code scanners measure the width of bars and spaces, so there is no problem in having several bars or several spaces running together consecutively. However, the scanner must be able to distinguish whether it is reading the number from left to right or from right to left. So we divide the number into left and right halves (LH and RH, respectively): LH = 7654, RH = 3216. We now convert the digits into sequences of zeros and ones using different encodings depending on whether the digit is in the left or the right half. For instance, the following scheme is used in the UPC bar codes: Digit 0 1 2 3 4 5 6 7 8 9
Left Half 0001101 0011001 0010011 0111101 0100011 0110001 0101111 0111011 0110111 0001011
Right Half 1110010 1100110 1101100 1000010 1011100 1001110 1010000 1000100 1001000 1110100 .
Notice that, not only are the digits represented differently in the left and right halves, but even reading any right-half sequence backward is still different from any left-half sequence. However, all left-half sequences begin with at least one zero and all right-half sequences end with at least one zero, so that makes it necessary to place a marker sequence at the beginning and end so that the scanner will know where the actual number itself begins. The sequence 101 is used at both ends for this purpose. Last, the sequence 01010 is inserted in the middle to separate the two halves (note that the left-half sequences all end in a 1, whereas the right-half sequences all begin with a 1). In this way, our simple code number 76543216 becomes converted into the following string of ones and zeros, where spaces have been inserted just to make it possible to recognize more easily the component parts: 101 0111011 0101111 0110001 0100011 01010 1000010 1101100 1100110 1010000 101.
56
Introduction to Applied Algebraic Systems
This is now converted into a bar code, representing each 1 by a bar line and each 0 by a space.
7
6
5
4
3
2
1
6
Bar codes of the type that we have been discussing are known as linear bar codes. Two-dimensional or matrix bar codes are also extensively used. The Bar Code Book by Palmer [Pal] provides a broad survey of bar code symbologies.
Exercises 1.8 1. If 100 200 3x0 405 is a UPC number, what is the value of x? 2. If 2x 31 41 51 62 is an ISBN-10 number, what is the value of x? 3. Show that the UPC system will not detect all transpositions of digits. 4. Let a and b be UPC numbers and x ∈ Z10 . Consider a and b as vectors in Z12 10 (i.e., if a = a1 a2 · · · a12 then consider a as the vector (a1 , a2 , . . . , a12 ) ∈ Z12 10 ). Now show that a + b and xa are also UPC “vectors.” 5. If 978-0-19-536543-x is an ISBN-13 number, what is the value of x?
1.9 The Chinese Remainder Theorem
In Theorem 1.7.1 and Corollary 1.7.2 we considered the solutions of a single congruence. Here we investigate the simultaneous solution of a system of congruences with different, but relatively prime, moduli. The Chinese remainder theorem has a long history, with an early instance appearing as a problem posed by the Chinese mathematician Sun Tsu Suan-Ching in the curious form:“There are certain things whose number is unknown. Repeatedly divided by 3, the remainder is 2; by 5, the remainder is 3; and by 7, the remainder is 2. What will the number be?” (See [W], Puzzle 70) There appears to be some uncertainty as to whether Sun Tsu lived in the first or fourth century, so it may be that the earliest recorded instance is due to Nicomachus (see [Di] and [W]).
Modular Arithmetic
57
Theorem 1.9.1 Let ni ∈ N (i = 1, 2, . . . , k) and (ni , nj ) = 1 if i = j. Let a1 , . . . , ak ∈ Z. Then the system of congruences ⎫ x ≡ a1 mod n1 ⎪ ⎪ ⎪ x ≡ a2 mod n2 ⎬ (1.8) .. ⎪ . ⎪ ⎪ ⎭ x ≡ ak mod nk has a solution that is unique modulo n = n1 n2 · · · nk . Proof. We begin by considering a much simpler system of congruences: ⎫ x ≡ 1 mod n1 ⎪ ⎪ ⎪ x ≡ 0 mod n2 ⎬ (1.9) .. ⎪ . ⎪ ⎪ ⎭ x ≡ 0 mod nk . Clearly, the solutions to the second to kth congruences are exactly the multiples of n2 n3 · · · nk . Thus, the system (1.9) has a solution if and only if there exists a multiple t n2 n3 · · · nk of n2 · · · nk that satisfies the first congruence. But (n1 , n2 · · · nk ) = 1 and so there do exist s, t ∈ Z with sn1 + t n2 n3 · · · nk = 1. Then, w1 = t n2 n3 · · · nk is a solution to the system (1.9). Replacing x ≡ 1 mod n1 in the system (1.9) by x ≡ 1 mod n2 , . . . , x ≡ 1 mod nk in turn we obtain k such systems for which we can find solutions w1 , w2 , . . . , wk , say. The numbers w1 , . . . , wk are referred to as the weights. Then we have ⎫ w1 ≡ 1 mod n1 w2 ≡ 0 mod n1 · · · wk ≡ 0 mod n1 ⎪ ⎪ ⎪ w1 ≡ 0 mod n2 w2 ≡ 1 mod n2 · · · wk ≡ 0 mod n2 ⎬ . .. .. .. ⎪ . . . ⎪ ⎪ ⎭ w1 ≡ 0 mod nk w2 ≡ 0 mod nk · · · wk ≡ 1 mod nk Let w = a1 w1 + a2 w2 + · · · + ak wk . Then, for all i, w = a1 w1 + a2 w2 + · · · + ak wk ≡ a1 · 0 + a2 · 0 + · · · + ai · 1 + · · · + ak · 0 mod ni ≡ ai mod ni .
58
Introduction to Applied Algebraic Systems
Thus, w is a solution to the system of congruences (1.8). Now suppose that v is also a solution. Then, for each i, we have v ≡ ai ≡ w mod ni so that ni | v − w. Since the ni are relatively prime, it follows that n1 · · · nk | v − w, by Lemma 1.4.5. Hence, v ≡ w mod n1 · · · nk and so the solution w is unique modulo n1 n2 · · · nk . Example 1.9.2 Find a solution to the system of congruences x ≡ 2 mod 3,
x ≡ 1 mod 5,
x ≡ 4 mod 8.
The first step is to find the weights. Consider the system x ≡ 1 mod 3,
x ≡ 0 mod 5,
x ≡ 0 mod 8.
Any solution must be a multiple of 5 and 8, and so we simply search through these multiples. In this case, the very first one, w1 = 40, will do since 40 ≡ 1 mod 3. For the second weight, we consider the system x ≡ 0 mod 3,
x ≡ 1 mod 5,
x ≡ 0 mod 8.
Searching the multiples of 24 = 3 × 8 we have 24, 48, 72, 96 and w2 = 96 will fill the bill. Last, we consider x ≡ 0 mod 3,
x ≡ 0 mod 5,
x ≡ 1 mod 8
and find a solution w3 = 105 from the multiples of 15 = 3 × 5 : 15, 30, 45, 60, 75, 90, 105. We can now generate a solution to the given system: w = 2 × 40 + 1 × 96 + 4 × 105 = 80 + 96 + 420 = 596 ≡ 116 mod 120. Thus, w ≡ 116 mod 120 is the required solution. Example 1.9.3 Other problems involving congruences can sometimes be reduced to problems that can be solved using the Chinese remainder theorem.
Modular Arithmetic
59
For example, consider the problem of solving the congruence 11x ≡ 76 mod 120. Since 120 = 3 × 5 × 8, we have that 11x ≡ 76 mod 120 if and only if 11x ≡ 76 mod 3, 11x ≡ 76 mod 5,
11x ≡ 76 mod 8.
and
(1.10)
Since 11 ≡ 2 mod 3, 76 ≡ 1 mod 3, and so forth, this is equivalent to 2x ≡ 1 mod 3,
x ≡ 1 mod 5,
and
3x ≡ 4 mod 8.
If we multiply the first congruence by 2 we obtain x ≡ 2 mod 3. Multiplying this by 2 will recover the congruence 2x ≡ 1mod3. Therefore, the congruences 2x ≡ 1 mod 3 and x ≡ 2 mod 3 are equivalent. Likewise (multiplying by 3), the congruences 3x ≡ 4 mod 8 and x ≡ 4 mod 8 are equivalent. Consequently, the system (1.10) is equivalent to the system x ≡ 2 mod 3,
x ≡ 1 mod 5,
x ≡ 4 mod 8.
This is precisely the system that we solved in the previous example, so we know that the solution is x ≡ 116 mod 120. Another approach to problems of this type is to notice that (11, 120) = 1 so that [11] is invertible in Z120 . It so happens that [11] × [11] = [121] = [1] in Z120 —in other words, [11] is its own inverse in Z120 . Consequently, 11x ≡ 76 mod 120 if and only if x ≡ 121x = 11 × 11x ≡ 11 × 76 mod 120 ≡ 836 mod 120 ≡ 116 mod 120 as before. The Chinese remainder theorem has an interesting application that makes it possible to do large calculations involving integers in parallel. Suppose that n is a large integer and that n = n1 n2 · · · nk where the ni are relatively prime. Suppose further that we wish to calculate the value of some function f (x) of the integer x and we know that the calculation only involves integer values and that the answer lies between 0 and n − 1, although intermediate calculations may involve much larger integers. One possible approach is the following. Perform k separate calculations (in parallel, if so desired) to evaluate ri ≡ f (x) mod ni
(i = 1, . . . , k)
60
Introduction to Applied Algebraic Systems
where 0 ≤ ri ≤ ni − 1. Then use the Chinese remainder theorem to solve the system of congruences: y ≡ ri mod ni
(i = 1, . . . , k).
This approach has two features in its favor. The first is that if ni is very much smaller than n, then calculations mod ni are much easier and faster than calculations involving values on the order of n or greater. The second feature is that the calculations modulo ni (i = 1, . . . , k) can be done in parallel. In particular, this leads to modern applications in situations such as RSA encryption (see section 1.12), where calculations that need to be performed in Zpq where p, q are large prime numbers can, instead, be done separately in Zp and Zq . Example 1.9.4 Let us evaluate the determinant 121 123 125 D = 121 124 130 121 126 146
using the Chinese remainder theorem. Let us work modulo 792 = 8 × 9 × 11. We have D ≡ 6 mod 8 D ≡ 6 mod 9 D ≡ 0 mod 11. Using the Chinese remainder theorem, we find that the unique solution to this system of congruences (modulo 792) is 726. Provided that the correct value of D is in the range 726 − 791 to 726 + 791, then we have found the correct value for D as 726. In fact, this is the correct value. Exercises 1.9 1. Solve the system x ≡ 1 mod 3,
x ≡ 2 mod 5,
x ≡ 3 mod 7.
x ≡ 2 mod 5,
x ≡ 1 mod 11.
2. Solve the system x ≡ 3 mod 6,
3. Solve the congruence 7x ≡ 36 mod 200 in two ways: (i) By finding [7]−1 200 (ii) By using the Chinese remainder theorem
Modular Arithmetic
61
4. Solve the congruence 5x ≡ 16 mod 198 in two ways: (i) By finding [5]−1 198 (ii) By using the Chinese remainder theorem ∗5
Let a, b ∈ Z, m, n ∈ N, d = (m, n). Show that the system of congruences x ≡ a mod m, x ≡ b mod n has a solution if and only if d divides a − b.
1.10 Euler’s function
For all n ∈ N, ϕ(n) is defined to be the number of integers a with 1 ≤ a ≤ n and (a, n) = 1. The function ϕ is called the Euler ϕ-function (Euler’s totient function or simply Euler’s function) and it is extremely important in the study of properties of integers. The value of ϕ(n) is easily calculated for small values of n: n 1 2 3 4 5 6 7 8
{a | 1 ≤ a ≤ n and (a, n) = 1} {1} {1} {1,2} {1,3} {1,2,3,4} {1,5} {1,2,3,4,5,6} {1,3,5,7}
ϕ(n) 1 1 2 2 4 2 6 4
Clearly, ϕ(p) = p − 1 for all primes p. The following will help us in the main theorem. Lemma 1.10.1 Let a, b ∈ Z, n ∈ N. If a ≡ b mod n, then (a, n) = (b, n). In particular, (a, n) = 1 if and only if (b, n) = 1. Proof. Let a ≡ b mod n. Then there exists an integer q ∈ Z with a − b = qn so that b = a − qn. Therefore, if d | a and d | n, then we must also have d | b. Similarly, if d | b and d | n, then d | a. Consequently, (a, n) | (b, n) which implies that (a, n) = (b, n).
and
(b, n) | (a, n)
The converse of Lemma 1.10.1 does not hold.
62
Introduction to Applied Algebraic Systems
Example 1.10.2 We have (2, 6) = 2 = (4, 6) but 2 ≡ 4 mod 6. The next result is particularly useful when calculating values of the Euler ϕ-function. Theorem 1.10.3 Let m, n ∈ N, and (m, n) = 1. Then ϕ(mn) = ϕ(m)ϕ(n). Proof. Let r = ϕ(m), s = ϕ(n), and t = ϕ(mn). Let A = { ∈ N | 1 ≤ < m, (, m) = 1} B = { ∈ N | 1 ≤ < n, (, n) = 1} C = { ∈ N | 1 ≤ < mn, (, mn) = 1}. Then |A| = ϕ(m) and |B| = ϕ(n), so that |A × B| = ϕ(m)ϕ(n) whereas |C| = ϕ(mn). Thus we will achieve our objective if we can prove that |A×B| = |C|. We will do exactly that by showing that there exists a bijective mapping θ : A × B → C. For each a ∈ A, b ∈ B there is, by the Chinese Remainder Theorem, a solution to the system x ≡ a mod m,
x ≡ b mod n
(1.11)
that is unique modulo mn. Since (a, m) = 1 = (b, n), it follows from Lemma 1.10.1 that (x, m) = (x, n) = 1 and, therefore, that (x, mn) = 1. By Lemma 1.6.1, x ≡ c mod mn for some unique element c with 1 ≤ c < mn. By Lemma 1.10.1, (c, m) = 1 so that c ∈ C. Therefore, x ≡ c mod mn for some unique element c ∈ C so that c is the unique solution to the system (1.11) in C. Thus, we have a mapping θ of A × B into C: θ : (a, b) → c where c is the unique solution to (1.11) in C. Now let (a, b), (a , b ) be distinct elements of A × B. Then, either a = a or b = b . So without loss of generality, we may assume that a = a . Since 1 ≤ a, a < m, it follows that a ≡ a mod m. Suppose that θ(a, b) = c, θ (a , b ) = c . Then c ≡ a mod m,
c ≡ a mod m.
Since a ≡ a mod m we must have that c = c . Thus, θ(a, b) = θ(a , b ) and θ is injective.
Modular Arithmetic
63
On the other hand, for all c ∈ C, we have (c, mn) = 1 so that (c, m) = 1 = (c, n) and, by Lemma 1.6.1, there exist a ∈ A, b ∈ B with c ≡ a mod m and c ≡ b mod n. Hence, θ (a, b) = c and θ is surjective. Since θ is both injective and surjective, it follows that θ is a bijection and |A × B| = |C|. Therefore, ϕ(mn) = |C| = |A × B| = |A| |B| = ϕ(m) ϕ(n). Corollary 1.10.4 If p and q are primes then ϕ(pq) = ϕ(p)ϕ(q) = (p − 1)(q − 1). Example 1.10.5 ϕ(35) = ϕ(5)ϕ(7) = 4 × 6 = 24 ϕ(55) = ϕ(5)ϕ(11) = 4 × 10 = 40. If we write an integer in its prime factorization n = p1 r1 · · · pk rk then Theorem 1.10.3 tells us that ϕ(n) = ϕ(p1 r1 )ϕ(p2 r2 ) · · · ϕ(pk rk ). The next result shows us how to calculate ϕ(p r ) for any prime p. Theorem 1.10.6 Let p be a prime and n ∈ N. Then ϕ(p n ) = p n−1 (p − 1). Proof. Exercise.
Exercises 1.10 1. Find ϕ(m) for m = 8, 11, 12, 16, 21. 2. Prove Theorem 1.10.6. 3. Calculate ϕ(125), ϕ(1800), ϕ(10800). ∗ 4.
Find all solutions x to ϕ(x) = 6.
64
Introduction to Applied Algebraic Systems
5. Show that ϕ(n) is even for n ≥ 3. 6. Find the inverse of 11 modulo ϕ(35). 7. Let m, n ∈ N. Show that the number of integers ≤ mn and relatively prime to m is n ϕ(m). 8. Show that if m and n have the same prime divisors, then ϕ(mn) = n ϕ(m).
1.11 Theorems of Euler and Fermat
Suppose that we have an element a in Zn and that we calculate successive powers of a (in Zn ): a, a 2 , a 3 , . . . . Since Zn is finite, it is evident that these powers cannot all be distinct. In this section we discuss two famous theorems that shed some light on exactly what happens to these powers. Theorem 1.11.1 (Euler’s Theorem) Let a ∈ Z, n ∈ N, and (a, n) = 1. Then a ϕ(n) ≡ 1 mod n. Proof. Let A = {[r1 ], . . . , [rk ]} be the set of invertible elements in Zn . By Theorem 1.7.1, k = ϕ(n). By Lemma 1.7.8, (a, n) = 1 =⇒ [a][ri ] = [a][rj ] for i = j.
(1.12)
By Lemma 1.7.5, (a, n) = 1 =⇒ [a][ri ] is invertible for all i.
(1.13)
From (1.12) and (1.13) it follows that B = {[ar1 ], . . . , [ark ]} is a set of k invertible elements. But Zn only has k invertible elements all together. Therefore, we must have B = A and B is just a listing of the elements of A in some order. Consequently, since multiplication is commutative, [r1 ][r2 ] · · · [rk ] = [ar1 ] · · · [ark ]
Modular Arithmetic
65
so that [r1 · · · rk ] = [a k r1 · · · rk ] = [a k ][r1 · · · rk ]. By Lemma 1.4.5 (iii), we have (r1 · · · rk , n) = 1 so that, by Lemma 1.7.8, [1] = [a k ] or a ϕ(n) = a k ≡ 1 mod n. In the proof of Euler’s Theorem, we multiplied the set of invertible elements by an invertible element, and, by a counting argument, we could claim that we still had the set of all invertible elements, just rearranged. To see how this works, consider the invertible elements in Z10 —namely, {1, 3, 7, 9}. If we multiply each of these elements by 9, then we obtain {9, 7, 3, 1}, which is exactly the same set, but in a different order. Similarly in Z15 , if we multiply the invertible elements {1, 2, 4, 7, 8, 11, 13, 14} by 2, say, then we obtain {2, 4, 8, 14, 1, 7, 11, 13}, which again is just the same set in a different order. Example 1.11.2 If n = 12 then ϕ(12) = 4 and with a = 5 we have a 1 = 5, a 2 = 25 ≡ 1 mod 12 a 4 = (a 2 )2 ≡ 12 = 1 mod 12. If n = 30 then ϕ(n) = 8 and with a = 7 we have a 1 = 7, a 2 = 49 ≡ 19 mod 30 a 4 = (a 2 )2 ≡ 192 = 361 ≡ 1 mod 30 a 8 = (a 4 )2 ≡ 12 ≡ 1 mod 30. Theorem 1.11.3 (Fermat’s Theorem) Let p be a prime and a ∈ Z. (i) (a, p) = 1 =⇒ a p−1 ≡ 1 mod p. (ii) a p ≡ a mod p. Proof. Since p is a prime we know that ϕ(p) = p − 1. Part (i) is then a special case of Theorem 1.11.1. (ii) There are two cases. (a) (a, p) = 1. Then a p−1 ≡ 1 mod p, by part (i), so that a p = a · a p−1 ≡ a mod p.
66
Introduction to Applied Algebraic Systems
(b) p | a. Then p | a p and p | a p − a. Therefore, a p ≡ a mod p. Why, one might wonder, should a straightforward corollary to Euler’s Theorem be graced with the name of Fermat? Perhaps the fact that Fermat (1601–1665) preceded Euler (1707–1783) by roughly a century explains why Fermat’s Theorem could seem so striking at the time. The following converse of Fermat’s Theorem suggests an important technique for testing the primality of an integer. Lemma 1.11.4 Let p ∈ N be such that p > 1 and a p−1 ≡ 1 mod p, for all a with 1 < a < p. Then p is a prime. Proof. Let a be such that 1 < a < p. Then the hypothesis of the lemma tells us that there exists k ∈ Z with a p−1 − 1 = kp. Consequently, 1 = a p−1 − kp, from which it follows that (a, p) | 1. But we always have (a, p) ≥ 1. Therefore, (a, p) = 1 for all integers a with 1 < a < p. In other words, p is a prime. Experience has shown that testing whether a p−1 ≡ 1 mod p for just a few values of a, such as a = 2, 3, 5, 7, will often demonstrate that p is not a prime, if that is indeed the case. In fact, a question posed by Fermat himself can be n answered using this test. He asked: Is 22 + 1 always prime? He was able to check that this is indeed true for n = 0, 1, 2, 3, 4, for which the values are 3, 5, 17, 257 and 65537, respectively, all of which are prime numbers. He was 5 unable to resolve the case n = 5 where 22 + 1 = 4294967297. However, it 5 turns out that 22 + 1 fails the test when a = 3. A different way of seeing that this number is not a prime using modular arithmetic is provided at the end of this section. There are certain composite numbers known as Carmichael numbers that undermine the usefulness of the above test for the primality of a positive integer. A Carmichael number n is a positive integer such that a n−1 ≡ 1 mod n, for all a that are relatively prime to n. The smallest Carmichael number is 561 = 3 × 11 × 17. For more background on this topic, see ([CLRS], Section 31.8). We will return to the topic of primality testing again briefly in Section 7.3.
Modular Arithmetic
67
From Euler’s Theorem we know that for any invertible element a in Zn , we have a ϕ(n) ≡ 1 mod n. The least positive integer m such that a m ≡ 1 mod n is called the order of a (mod n). Example 1.11.5 The invertible elements in Z10 are 1, 3, 7, 9, and ϕ(10) = 4. We have 11 = 1 ≡ 1 32 = 9, 33 = 27 ≡ 7, 34 ≡ 7 × 3 ≡ 21 ≡ 1 72 = 49, 73 ≡ 9 × 7 = 63 ≡ 3, 74 ≡ 3 × 7 ≡ 21 ≡ 1 92 = 81 ≡ 1. Thus, the orders of 1, 3, 7, and 9 are 1, 4, 4, and 2, respectively. Note that if we take powers of a noninvertible element then we will never arrive at 1. For example: 52 = 25 ≡ 5, 53 = 52 × 5 ≡ 5 × 5 ≡ 5, and so on. 42 = 16 ≡ 6, 43 ≡ 42 × 4 ≡ 6 × 4 ≡ 24 ≡ 4, and so on. Lemma 1.11.6 Let a ∈ Z, n ∈ N, and (a, n) = 1. Then the order of a divides ϕ(n). Proof. By Euler’s Theorem we know that a ϕ(n) ≡ 1 mod n. Let m denote the order of a. Necessarily, m ≤ ϕ(n). Let ϕ(n) = qm + r
where 0 ≤ r < m.
Then, 1 ≡ a ϕ(n) ≡ a qm+r ≡ (a m )q a r ≡ 1q a r ≡ a r . By the minimality of m, we must have r = 0. Therefore, ϕ(n) = qm and m | ϕ(n). These observations on the order of an element can help us resolve Fermat’s 5 problem in regard to the number 22 + 1. Suppose that p is a prime divisor of 5 5 6 22 + 1. Then 22 ≡ −1 mod p so that 22 ≡ 1 mod p, from which it follows that the order of 2 mod p is exactly 26 = 64. But, by Lemma 1.11.6, the order of 2 must divide ϕ(p) = p − 1. Hence p ≡ 1 mod 64. A searchof primes of
68
Introduction to Applied Algebraic Systems 5
the form 64x + 1 soon arrives at p = 641 which does, in fact, divide 22 + 1. 5 Thus 22 + 1 is not a prime. Exercises 1.11 1. Use Fermat’s Theorem to simplify 2127 mod 31. 2. Use Fermat’s Theorem to calculate the remainder from 12519 divided by 47. 3. Use Euler’s Theorem to simplify 350 mod 35. 4. Simplify 590 mod 27. 5. Find the remainder from 6124 divided by 11. 6. Let a, b ∈ N and p be a prime. Use Fermat’s Theorem to show that (a ± b)p ≡ a p ± b p mod p. 7. Show that if a, b ∈ N and p is a prime such that a p ≡ b p mod p, then a p ≡ b p mod p 2 . 8. Find the order of the following elements: (i) 7 ∈ Z12 (ii) 5 ∈ Z16 (iii) 2 ∈ Z29 1.12 Public Key Cryptosystems
For more than 2000 years people have been devising schemes, or ciphers as they are often called, for encoding and decoding messages. The primary objective of such schemes is to prevent a message being intercepted and read by some unauthorized person. Until recent times, the messages would have been sent among politicians, leaders, and generals or other representatives of the armed forces; the intent of encoding messages was to prevent the enemy from intercepting them. In today’s world, messages concerning war and peace are not the only messages that are deemed important enough to be protected from eavesdroppers. Confidentiality is an important aspect of life. It is important that the transfer of all kinds of data be done in a secure manner—for example, health records, insurance data, and financial data, to name a few. Data security and data encryption are now an important part of the high-tech industry. In a basic scheme, the sender and receiver would agree on some method of encryption. For example, a method used in Greece in about 100 b.c. was to arrange the letters of the (Greek) alphabet in an array and then each letter would be replaced by its coordinates in the array. A modern-day equivalent
Modular Arithmetic
69
might look like
A B C D E
A B A B F G L M Q R V W
C D E C D E H I K N O P S T U X Y Z
(Note that the Greek alphabet had 24 letters compared with 26 in English.) The message “call home E.T.” was then encrypted as AC AA CA CA BC CD CB AE AE DD. A scheme used by the Roman general Caesar simply shifted each letter: A → D, B → E, C → F , · · · . Cardinal Richelieu (1585–1642), by some accounts one of France’s greatest statesmen, is reputed to have used an encryption method in which the actual message would be interspersed on a page with garbage, and the message would be recovered from the page by placing a“template”over the page that contained holes and slits. The message could then be read from the letters exposed by the holes. Another simple method of encryption is to convert the individual letters in the message to integers, break the message into blocks (vectors) v1 , . . . , vm of some fixed length n, and then apply an invertible n×n matrix A with integer entries to obtain Av1 , . . . , Avm . The original message can then be recovered by applying the inverse A −1 to each block. Two large classes of encryption ciphers are the substitution and affine ciphers. In substitution ciphers, a permutation is applied to each letter of the alphabet. For example, the Caeser cipher described above was a substitution cipher. Another important substitution based cipher, one that affected the course of World War II, was the Enigma cipher that will be discussed in Chapter 4. In an affine cipher, the message is first digitized and then each digit or string is subjected to the transformation:x −→ ax + b mod n. For this to be invertible, a must be invertible mod n. The affine cipher is a special case of the substitution cipher. Schemes such as these have the feature that if you know how to encode a message, then you know immediately how to decode any message using the same scheme. Therefore it is extremely important that the method of encryption be kept secret. R. Merkle, W. Diffie, and M. Hellman proposed a different kind of scheme, one in which anyone would know how to encrypt a message but only the
70
Introduction to Applied Algebraic Systems
recipient would know how to decrypt the message. Such a scheme would be useful to government departments, banks, and businesses that could publish the schemes to be used by anyone who wished to communicate with them, secure from any eavesdropper. At first it might seem that Merkle, Diffie, and Hellman were proposing the impossible. But let us analyze this a little further. Suppose that we consider the encoding process as some sort of function E mapping letters or words over the alphabet a, b, c, . . . to strings of zeros and ones—that is, words over the alphabet {0, 1}. The decoding process is then a function D in the opposite direction. Since the decoding process must yield the original message, the functions D and E must compose to give the identity: DE = I
PLAIN TEXT w ⏐ ⏐ ⏐E CODED TEXT E(w)
DECODED TEXT D(E(w)) ⏐ ⏐D ⏐
INSECURE CHANNEL ⏐ ⏐ ⏐
=⇒
RECEIVED TEXT E(w)
CRYPTANALYST The idea put forward by Merkle, Diffie, and Hellman was that it would be possible to find suitable pairs of functions (E, D) where knowledge of E did not immediately reveal D and that, although it might be possible to determine D from E, the time and the cost would be too great for it to be practical. They labeled such functions E as trap door functions . Various pairs of functions (E, D) satisfying the Merkle, Diffie, and Hellman requirements have been developed. We will present one such scheme that has attracted great attention and has been widely implemented. This scheme is called the RSA system after its inventors Rivest, Shamir, and Adleman (see [RSA]). Although Rivest, Shamir, and Adleman announced their technique in 1977, it appears that the British Security Services were aware of the RSA scheme some years earlier. The “ingredients,” as you might say, in the RSA system are as follows: p, q — distinct large primes (probably more than 150 decimal digits) n = pq ϕ(n) = (p − 1)(q − 1)
(by Corollary 1.10.4)
Modular Arithmetic
71
d = large positive integer with (d, ϕ(n)) = 1 e ∈ N such that de ≡ 1 mod ϕ(n). Note that such an integer e will always exist on account of Theorem 1.7.1(iii). For this choice, n = the modulus e = the encryption exponent d = the decryption exponent {n, e} = the public encryption key Any agency wishing to use this scheme would make the values of n and e publicly available. Anyone wishing to send a message only needs to know the values of n and e. Once the values of n, e, and d have been selected, we can establish our encoding and decoding procedure. Encoding Procedure
(1) Digitize the message into a decimal word. (2) Divide the decimal word into blocks of some suitable length L so that each block b in the message represents a number between 0 and n − 1. (3) Encode each block b: b → b e mod n where b e mod n is the unique element in [b e ]n ∩ {0, 1, . . . , n − 1}. Decoding Procedure
(1) Decode each received word w: w → w d mod n where w d mod n is the unique element in [w d ] ∩ {0, 1, . . . , n − 1}. (2) Dedigitize w d mod n. The key question now is, if we start with a block b, encode it as w = b e and decode w as w d , do we recover b? Theorem 1.12.1 Let n, e, and d be as noted earlier and b ∈ {0, 1, 2, . . . , n − 1}. Then b is the unique integer in S = {0, 1, 2, . . . , n − 1} ∩ [(b e )d ]n .
72
Introduction to Applied Algebraic Systems
Proof. By Lemma 1.6.1, there can be at most one integer in S. Consequently, all that we have to do is show that (b e )d ≡ b mod n. First let us suppose that (b, n) = 1. By the choice of e and d, we have ed ≡ 1 mod ϕ(n) so that there exists k ∈ N with ed = kϕ(n) + 1. Hence, (b e )d = b ed = b kϕ(n)+1 = (b ϕ(n) )k b ≡ 1k b mod n
by Euler’s Theorem
≡ b mod n, as required. Now suppose that (b, n) = 1. That is possible since, after all, n = pq is composite. If b = 0 then (b e )d = 0. So suppose that b = 0. Then either p | b or q | b, but not both, since n = pq and 1 ≤ b < n. Without loss of generality, it suffices to assume that p | b and that (b, q) = 1. By Euler’s Theorem applied to q, we have b ϕ(q) ≡ 1 mod q so that, since ϕ(n) = ϕ(p)ϕ(q), b ϕ(n) = (b ϕ(q) )ϕ(p) ≡ 1ϕ(p) ≡ 1 mod q. Therefore, b ed = b kϕ(n)+1 = (b ϕ(n) )k b ≡ b mod q. Since p | b we have b ed ≡ 0 ≡ b mod p. Thus, both p and q divide b ed − b. However (p, q) = 1. Consequently, n = pq also divides b ed − b. In other words, b ed ≡ b mod n in this case (where p | b) also.
Corollary 1.12.2 The RSA procedure provides unique encoding and decoding for integers b ∈ {0, 1, 2, . . . , n − 1}.
Modular Arithmetic
73
Scheme: SENDER:
Plain Text abc . . .
−−−→
Decimal String 010203 . . .
−−−→
Blocks b1 b2 b3 . . .
Public Key n, e ⏐ ⏐ ⏐ −−−→
Cipher Text −−−→ c1 c2 c3 . . . −−−→ Transmit ci = bie mod n
RECEIVER:
−−−−−−→
Receive
Cipher Text c1 c2 c3 . . .
−−−−−−→
Decimal String 010203 . . .
Decode Exponent ⏐ ⏐ ⏐ −−−−−−−→
−−−−−−−→
Blocks bi = cid mod n
−−−−−−−→
Original Plain Text abc . . .
A Decimal Representation of Alphabet, Numbers and Punctuation
a = 01 f = 06 k = 11 p = 16 u = 21 z = 26 E = 31 J = 36 O = 41 T = 46 Y = 51 3 = 56 8 = 61 ; = 66 ” = 71
b = 02 g = 07 l = 12 q = 17 v = 22 A = 27 F = 32 K = 37 P = 42 U = 47 Z = 52 4 = 57 9 = 62 : = 67 ’ = 72
c = 03 h = 08 m = 13 r = 18 w = 23 B = 28 G = 33 L = 38 Q = 43 V = 48 0 = 53 5 = 58 = 63 ? = 68
d = 04 i = 09 n = 14 s = 19 x = 24 C = 29 H = 34 M = 39 R = 44 W = 49 1 = 54 6 = 59 . = 64 ! = 69
e = 05 j = 10 o = 15 t = 20 y = 25 D = 30 I = 35 N = 40 S = 45 X = 50 2 = 55 7 = 60 , = 65 “ = 70
74
Introduction to Applied Algebraic Systems
Example 1.12.3 Let p = 113, q = 173 so that n = 19549 and ϕ(n) = 112 × 172 = 19264. Let e = 31. Then d = 11807.
Plain Text:
T i m i.. d.
Decimal String:
Blocks: ⏐ ⏐ ⏐ Cipher Text: ⏐ ⏐ ⏐ Blocks Recovered: ⏐ ⏐ ⏐ Plain Text Recovered:
. . . ... . . ... .. .. ... ... ... . . .. ... .. .. ... .. ... ... . ... ... .. . . . .. ... ... .. .. . . . . . . .
... .... ... ... ... ... ..... ..... . ... ... ... ... ... ... ..... ... .. .
... ... ... ... ... ... ... ... ... ... ..
b o.. n ebreaker . . . . .. ... ... .. ..
. ... ... ..... . ... ... ..... ... ..
... ... ... ... ... ... ... ... ... ... .
?
.... .. ... .... .... .... ....... .......................... .. .. ... ... .... ...... ...... ........ ........ ............... . .. .. ... .... .... ...... ....... ........ ........ .. .. ... ... .... ....... ....... ....... ......... ............... .. .. ... .... ... ...... ....... ........ ........ . .. .. ... ... .... ...... ....... ........ ........ ............... .. .. ... ... .... ....... ....... ....... ......... ........ . . .. .. ... ...... ...... ....... ............ ............. .............. ................ ............... .. .. .. .. . . .. . . ... ... .. ... ...... ....... ............ ............. .............. ................ ............... ... .. . ... . ... ..... ... ..... ...... ...... .....
46 09 13 09 04 63 02 15 14 05 02 18 05 01 11 05 18 68
04609
01309
00463
00215
001405
12161
09354
05666
00463
00215
001405
00218
00501
01105
01868
bi31 mod 19549
12774
16971
06946
08265
13817
18250
ci11807 mod 19549
04609
01309
00218
00501
01105
01868
Timid bonebreaker?
A minor procedural problem arises when we look at specific examples, such as Example 1.12.3. Since the modulus is n = 19264, which has 5 digits, if we break the message up into blocks of length 4, then all the resulting numbers represented by the blocks bi will certainly be less than n. However, when we calculate b e modn, we may obtain a number with 1, 2, 3, 4, or 5 digits. For instance 460931 ≡ 12774 mod 19264. So we require some device to separate the values of b1e , b1e , and so on. One possibility is to break up the message into blocks one less than the length of n and add a zero at the beginning to produce a block of the same length as n but still representing a number less thann. For example, replace 4609 by 04609. Then the encoded and decoded message can be treated uniformly in blocks of the same length (5 in this case). Elegant as the ideas behind the RSA encryption scheme may be, their implementation depends critically on the ability to perform exponential
Modular Arithmetic
75
calculations efficiently involving two large integers. Calculating x m as (m−1)−multiplications
x m = (. . . ((x · x) · x) . . .)
with (m − 1) multiplications is too inefficient. One technique that is used is known as exponentiation by squaring or square and multiply. This technique dramatically reduces the number of calculations involved. It takes advantage of the representation of the exponent in base 2 arithmetic. For example, if m = ak 2k + ak−1 2k−1 + . . . + a0 (ak = 0, ai ∈ {0, 1}), then we can write x k = ((. . . (x ak )2 x ak−1 )2 x ak−2 )2 · · · x a1 )2 x a0 where the number of multiplications (alternating between squaring and multiplication by x) to be carried out is of the order of log m, as opposed to m − 1. (Of course all the calculations are actually carried out relative to the modulus n adopted for the RSA encryption scheme.) The extent of the gain is easily appreciated by considering one or two examples, even small ones. If m = 15 = 23 + 22 + 21 + 20 , then we can write x 15 = (((x)2 x)2 x)2 x where the latter requires 6 multiplications as opposed to 14. If m = 65 = 26 + 1, then x 65 = ((((((x)2 )2 )2 )2 )2 )2 x requiring 7 multiplications instead of 64. Finally, if m = 1000 = 29 + 28 + 27 + 26 + 25 + 23 , then x 1000 = (. . . (x)2 x)2 x)2 x)2 x)2 )2 x)2 )2 )2 requiring just 14 multiplications versus 999 by direct computation. The question that remains is: How secure is the RSA system? The task confronting a cryptanalyst is to discover the value of d given the information n and e. To do this requires a knowledge of ϕ(n). But, pq = n and p + q = n − ϕ(n) + 1. So a knowledge of n and ϕ(n) would make it possible to solve these equations to find the factorization of n. Thus, the task facing the cryptanalyst is to find the factorization of n as a product of two primes.
76
Introduction to Applied Algebraic Systems
When n has more than 100 digits, this is considered a hard problem. However, ever faster computers combined with distributed or parallel computing and new factorization techniques are advancing constantly the frontiers of what is “manageable” in this regard. To test and to demonstrate to the scientific community the security of their system, Rivest, Shamir, and Adelman published a short message that had been encoded using their method and a modulus n (a product of two prime numbers) with 129 digits. This number became known in the literature as RSA 129. RSA129 = 11438162575788886766923577997614661201021829672124236256256184293 5706935245733897830597123563958705058989075147599290026879543541 = 3490529510847650949147849619903898133417764638493387843990820577 · 32769132993266709549961988190834461413177642967992942539798288533
The authors of this scheme estimated that using the conventional methods of the day, the number of calculations required to factor RSA 129 and break the code would take 40 quadrillion years. The challenge, with a nominal $100 reward, was published in Martin Gardner’s column in the Scientific American in 1977. What they did not reckon with were the advances that would be made in the development of both factoring algorithms and computing power. Using distributed computing techniques involving approximately 1700 computers around the world, in a massive cooperative attack, D. Atkins, M. Graff, A. Lenstra, and P. Leyland were able to announce on April 26, 1994, that they had factored RSA 129 and decoded the message as “The Magic Words are Squeamish Ossifrage”. Despite this impressive achievement, the encryption community still believes that the advantage lies with the designers of this system because the complexity of factoring increases dramatically as the length of the modulus n increases. Boneh [Bon, page 212] asserts that “Two decades of research into inverting the RSA function produced some insightful attacks, but no devastating attack has ever been found”. However, the growing size of the keys and the computations involved may result in the advantage in utility passing to rival encryption schemes such as elliptic curve cryptography. The exercises in this section illustrate one problem that can occur in RSA encryption if one wants to use a common modulus. There are various other pitfalls. For example, the number of digits in the decryption exponent should be at least as big as one quarter of the number of digits in n. For further good reading, see Patterson [Pat] and Stinson [Sti]. The topic of factorization of large integers, which is so crucial to RSA encryption, is discussed briefly in Section 7.3, to which an interested reader could skip at this point for a description of Pollard’s p − 1 method.
Modular Arithmetic
77
Exercises 1.12 1. Choose distinct primes p, q (≥ 11) and d < n = pq such that (d, ϕ(n)) = 1. (i) Find e = d −1 mod ϕ(n). (ii) Pick a message with at least 10 characters. Now encode and decode your message using the RSA encryption scheme. ∗ 2.
Let e1 , e2 , m, n ∈ N where (e1 , e2 ) = 1 = (m, n) and e1 , e2 > 1. Let a = m e1 mod n,
b = m e2 mod n.
(1.14)
Assuming that a, b, e1 , e2 and n are known, show how to recover the value of m. (Hint: Apply the Euclidean algorithm to e1 , e2 .) In the exercises to follow, let p, q, n = pq, e and d be chosen for an RSA encryption scheme as described earlier. ∗ 3.
(i) Show that e and d are both odd. (ii) Show that there exists k > 0 with ed − 1 = 2k y where y is odd. (iii) Let 1 ≤ b ≤ n − 1 and (b, n) = 1. Show that the order of b in Zn is of the form 2j z where j ≤ k, z | y. j−1 (iv) Show that a = b 2 z satisfies a 2 ≡ 1 mod n.
∗ 4.
Let 1 < a < n − 1 be such that (i) a 2 ≡ 1 mod n (ii) a ≡ ±1 mod n. Show that either (a + 1, n) = p or (a + 1, n) = q.
5. Exercises 3 and 4 show how a subscriber (with knowledge of one pair of values e, d) to a shared RSA encryption protocol using a common modulus can factorize the modulus n. Choose values of p, q, n = pq, e and d and, using only the values of n, e, and d, a value of b with 1 ≤ b ≤ n − 1 and the method of Exercises 3 and 4, recover the values of p and q. Note: Not every choice of b is guaranteed to be successful. ∗ 6.
Let P and P1 be participants in a network in which internal communication among members uses RSA encryption with individual encryption and a decryption exponent, but with a common modulus. Let communication with P use (n, e, d) and with P1 use (n, e1 , d1 ). The following steps show how P1 may be able to decode P’s messages without needing to know the factorization of n. Let f = (e, e1 d1 − 1),
g = (e1 d1 − 1)/f .
78
Introduction to Applied Algebraic Systems
Assuming that (e, g ) = 1, establish the following: (i) The Euclidean algorithm can be used to find s, t ∈ Z with gs + et = 1. (ii) (iii) (iv) (v)
(f , ϕ(n)) = 1. ϕ(n) divides g . et ≡ 1 mod ϕ(n). For (m, n) = 1, (m e )t ≡ m mod n.
7. Determine how many multiplications are required in the exponentiation by squaring method applied to x 500 .
2 Rings and Fields
In Chapter 1, we introduced Zn and developed some of its properties as an algebraic structure. The important feature of Zn as an algebraic structure is the fact that it possesses two algebraic binary operations (addition and multiplication) that have certain properties individually and that interact with each other through the distributive law. Other algebraic structures share some of the properties of Zn . For example, the set of all n × n matrices of real numbers is an algebraic structure with two binary operations (again, addition and multiplication) and the set of all real valued functions of a real variable has three familiar binary operations (this time, addition, multiplication and composition). In this chapter we begin a study of algebraic structures with two binary operations of addition and multiplication.
2.1 Basic Properties
Let R be a nonempty set. Then a binary operation ∗ on R is a rule that associates with each pair of elements a, b ∈ R an element a ∗ b. If a ∗ b is also an element of R, for all a, b ∈ R, then we say that R is closed under ∗. The standard examples of binary operations are things like addition or multiplication of numbers, matrices, and so forth. A simple example of a situation in which there is a reasonable operation but the set is not closed under that operation is the set N of natural numbers under division. We have 3, 4 ∈ N but 34 ∈ N. In other words, N is not closed under division. 79
80
Introduction to Applied Algebraic Systems
Let R be a set with two binary operations which we will denote by + and · (although we will usually indicate · simply by juxtaposition). Here are some of the properties that (R, +, ·) might have: For all a, b, c ∈ R (except in (ix)) R is closed with respect to + and · a + (b + c) = (a + b) + c a+b =b+a there exists an element 0R ∈ R with a + 0R = a there exists an element −a ∈ R with a + (−a) = 0R a(bc) = (ab)c a(b + c) = ab + ac (b + c)a = ba + ca (vii) ab = ba (viii) there exists an element 1R ∈ R with 1R = 0R and a1R = a = 1R a (ix) for all a ∈ R with a = 0, there exists an element a −1 ∈ R with aa −1 = a −1 a = 1R . (0) (i) (ii) (iii) (iv) (v) (vi)
⎫ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎬ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎭
FIELD
Essentially, we have just listed all the rules that we usually apply in the familiar arithmetic of real or rational numbers. We adopt some of the same terminology. The element 0R is called the zero and the element 1R is called the identity of R. Some of these laws have their own names: (0) Closure (i), (v) Associative (vi) Distributive (ii), (vii) Commutative (iii), (viii) Existence of identities (iv) Existence of additive inverse (ix) Existence of multiplicative inverse Certain groupings of these properties show up with such frequency that they have been accorded special names: Properties
Name
(0)-(vi) Ring (0)-(vii) Commutative ring (0)-(vi), (viii) Ring with identity (0)-(viii) Commutative ring with identity (0)-(ix) Field
Rings and Fields
81
The simplest of these structures is a ring and the richest (in terms of having the most properties) is that of a field. Note that although we allow a ring to consist of a single element (i.e., R = {0R }), we insist that 0R = 1R in a field, so that any field has at least two elements. Example 2.1.1 The following are examples of rings: (1) Z, Q, R. (2) The set 2Z of all even integers. (3) Zn . (4) Mn (R), the set of all n × n matrices over a ring R with the usual addition and multiplication of matrices. (5) Q[x], the set of all polynomials with rational coefficients. (6) R[x], the set of all polynomials with real coefficients. With all these rules that look so familiar to us since we have been using them in arithmetic without even thinking about them, it is tempting to assume that all the rules of arithmetic will always apply. However, we are already aware of certain examples when the normal rules do not apply. For instance, the multiplication of matrices is not commutative, the set of even integers does not have a multiplicative identity, and in section 1.7 we saw that products of nonzero elements in Zn can be zero (something that is impossible in the arithmetic with which we are most familiar). All this warns us that we must be extremely careful in developing the properties of rings and must take nothing for granted. In the next result we gather together some basic observations. Lemma 2.1.2 Let (R, +, ·) be a ring. (i) (ii) (iii) (iv) (v) (vi)
The zero element 0R is unique. If R has an identity 1R , then it is unique. For all a ∈ R, 0R · a = 0R = a · 0R . For all a ∈ R, −a is unique. If a −1 exists, then it is unique. For all a, b ∈ R, (−a)b = a(−b) = −(ab) −(−a) = a, (−a)(−b) = ab.
(vii) −0R = 0R .
82
Introduction to Applied Algebraic Systems
Proof. (i) Let 0R and w be elements of R such that a + 0R = a and a + w = a, for all a ∈ R. Then, w = w + 0R = 0R + w = 0R
by property of 0R by commutativity of + by property of w.
Thus, 0R is unique. (ii) Exercise. (iii) Let a ∈ A. Then, 0R · a = (0R + 0R ) · a = 0R · a + 0R · a
by property of 0R by distributivity
so that 0R · a + (−0R · a) = 0R · a + 0R · a + (−0R · a) and 0R = 0R · a + 0R = 0R · a. Similarly, we can show that a · 0R = 0R . (iv) Let −a and x be elements of R such that a + (−a) = 0R , a + x = 0R . Then x = 0R + x = a + (−a) + x = a + x + (−a) = 0R + (−a) = −a
by property of 0R by property of −a by commutativity by property of x by property of 0R .
Thus, the additive inverse of each element is unique. (v) Exercise. (vi) Let a, b ∈ R. Then we have ab + (−a)b = (a + (−a))b = 0R · b = 0R
by distributivity by property of −a by part (iii).
By part (iv) it now follows that (−a)b = −(ab). The verification of the remaining equalities is left as an exercise. (vii) Exercise.
Rings and Fields
83
Part (iii) of Lemma 2.1.2 is interesting, because there is nothing in the axioms for a ring that specifically relates 0R to multiplication and so it might be expected that this would have to be part of the axioms. However, this is not the case, because it is a consequence of the listed axioms. To simplify the notation, it is customary to write a −b in place of a +(−b). Henceforth, unless it is important to use 0R and 1R to avoid confusion, we will simply write 0 and 1 and expect that the meaning will be clear from the context. Let R be a ring with identity and a ∈ R. If a −1 exists, then a is said to be invertible or a unit and a −1 is called the inverse of a. We denote the set of all invertible elements in R by R ∗ . Since all nonzero elements in a field F are invertible, it follows that in a field F , F ∗ just consists of all the nonzero elements. If a and b are elements of a commutative ring R such that a = 0R , b = 0R , but ab = 0R , then a and b are said to be zero divisors. Typically the presence of zero divisors complicates calculations, so it is nicer to work in contexts that are free of them. By an integral domain we mean a commutative ring with identity and no zero divisors. For example, Z, Q, and R are integral domains but Z6 is not. There is a connection between zero divisors and the cancellation laws. Lemma 2.1.3 Let R be a commutative ring with identity. Then the following are equivalent: (i) R is an integral domain. (ii) a, b, x ∈ R, x = 0 and ax = bx ⇒ a = b. Proof. (i) implies (ii). We have x = 0, ax = bx =⇒ (a − b)x = 0 =⇒ a − b = 0 or x = 0 =⇒ a − b = 0 =⇒ a = b.
by hypothesis
(ii) implies (i). We argue by contradiction. Let a, b ∈ R be such that a = 0, b = 0, and ab = 0. Then, ab = 0 =⇒ ab = 0 = a · 0 =⇒ b = 0
by hypothesis
which is a contradiction. Therefore, R is an integral domain. Fields are important examples of integral domains. Lemma 2.1.4 Every field is an integral domain.
84
Introduction to Applied Algebraic Systems
Proof. Let F be a field, a, b, x ∈ F , and x = 0. Since F is a field, the element x has a multiplicative inverse x −1 . Consequently, ax = bx =⇒ (ax)x −1 = (bx)x −1 =⇒ a(xx −1 ) = b(xx −1 ) =⇒ a · 1 =b·1 =⇒ a = b. It now follows from Lemma 2.1.3 that F is an integral domain.
Our principal goal in this chapter is to begin the study of fields. The only examples of fields that are ready to hand for us at the moment are Q, R and C so it is interesting to discover that some of the rings Zn are also fields. Theorem 2.1.5 Zn is a field if and only if n is a prime. Proof. By Theorem 1.6.6 we already know that Zn is a commutative ring with identity. Consequently, Zn is a field ⇐⇒ for all a ∈ Zn \ {0}, a has an inverse ⇐⇒ for all a ∈ Zn \ {0}, (a, n) = 1 (Theorem 1.7.1) ⇐⇒ n is a prime.
We shall see shortly how to construct many other examples of finite fields. The following is a useful way of obtaining new examples of rings from examples that we already know about. Let S and T be rings and let R = S × T with addition and multiplication defined as follows: (a, b) + (c, d) = (a + c, b + d), (a, b)(c, d) = (ac, bd). We describe these operations by saying that addition and multiplication are defined componentwise. Then R is a ring (see exercises) called the direct product of S and T . We have seen that if a ring R has an identity, then 12 = 1 and 02 = 0. Any element x ∈ R such that x 2 = x is called an idempotent. Thus, 0 and 1 are examples of idempotents. In general, a ring may have many idempotents. Exercises 2.1 In Exercises 1 through 6, let R be a ring and a, b ∈ R. 1. Show that if R has an identity then it is unique. 2. Show that a(−b) = −(ab), (−a)(−b) = ab, −(−a) = a.
Rings and Fields
85
3. Show that if m ∈ N, then −(ma) = m(−a). 4. Show that if R is a ring with identity, a ∈ R, and a has an inverse, then it is unique. 5. Show that if m ∈ N and a has an inverse, then (a m )−1 = (a −1 )m and (−a)−1 = −(a −1 ). 6. Let R be a ring with identity. Show that the set U of invertible elements is closed under multiplication but not under addition. 7. Show that (Z\{0}, gcd, ·) is not a ring. 8. Let R denote the set of all real valued functions of a real variable. Show that (i) (R, +, ·) is a ring (ii) (R, +, ◦) (where ◦ denotes the composition of functions) is not a ring. √ √ 9. Show that Z[ 2] = {a + b 2 | a, b ∈ Z} is a ring (with the usual addition and multiplication). √ √ 10. Show that Q[ 2] = {a + b 2 | a, b ∈ Q} is a field. 11. Show that G = {a + bi | a, b ∈ Z} is a ring (where i 2 = −1). This ring is known as the ring of Gaussian integers. Which elements of G are invertible? 12. Find an example of elements a, b in a ring R with a = 0 such that the equation ax = b has more than one solution. 13. Let R be a commutative ring with identity. Show that R is a field if and only if every equation of the form ax = b with a, b ∈ R and a = 0 has a unique solution. 14. Find all idempotents in Z12 . 15. Find all roots of the equation x 2 − 1 = 0 in (i) Z7 , (ii) Z8 , and (iii) Z9 . 16. Let F be a field. Show that the only solutions to the equation x 2 = x in F are x = 0 and x = 1. 17. Let M2 (Z3 ) denote the set of all 2 × 2 matrices over Z3 . Let A ∈ M2 (Z3 ). (i) (ii) (iii) (iv) (v)
What is the identity of M2 (Z3 )? How many elements are there in M2 (Z3 )? Describe −A. Is M2 (Z3 ) commutative? Give examples of an invertible element and a noninvertible element.
18. Let M2 (Z) denote the set of all 2 × 2 matrices over Z. Which elements are invertible?
86
Introduction to Applied Algebraic Systems
19. Let S, T be rings with identity and R = S × T be the direct product of S and T . (i) (ii) (iii) (iv)
Show that R is a ring. What is the zero of R? What is the identity of R? If S and T are fields, does it follow that R is a field? (Prove or give a counterexample.)
20. Let S = Z × Z with addition and multiplication defined by (a, b) + (c, d) = (a + c, b + d), (a, b)(c, d) = (a + bc, bd). Is S a ring? 21. Let R be a ring such that x 2 = x for all x ∈ R. Show that R is commutative. 22. Show that, for all n ∈ N, every nonzero element of Zn is either a unit or a zero divisor. Does the same assertion hold in Z?
2.2 Subrings and Subfields
It will be convenient to be able to refer to multiples and powers of elements and so we introduce the following notation. For every element a in a ring R, we define 1 · a = a 0 · a = 0R ⏐ ⏐ ⏐ integer ring element integer and for all m ∈ N (m + 1)a = ma + a, (−m)a = −(ma). Equivalently, ma = a + a + · · · + a, (−m)a = (−a) + (−a)+ · · · + (−a) . m terms
m terms
In this way we have assigned a meaning to ma for all m ∈ Z, a ∈ R in such a way that the following rules are obeyed: For all a, b ∈ R, m, n ∈ Z, (m + n)a = ma + na m(a + b) = ma + mb.
Rings and Fields
87
Next, for all a ∈ R, m ∈ N we define a 1 = a, a m+1 = a m · a. If R has an identity then we extend this notation to a0 = 1 and if a has an inverse then we define a −m = (a −1 )m . If a has an inverse then we have assigned a meaning to a m for all m ∈ Z. Moreover, a m a n = a m+n (a m )n = a mn
for all m, n ∈ Z for all m, n ∈ Z.
From Theorem 2.1.5 we know that Z5 is a field. Because Z5 is finite, there are things that happen in Z5 that do not happen in familiar examples of fields like Q and R. For instance, in Z5 , we have 5 · 1 = 1 + 1 + 1 + 1 + 1 = 5 = 0. Thus, as must happen in any finite field, there exist multiples of the identity that are zero, something that is impossible in Q or R. Let R be a ring with identity. If there exists n ∈ N such that n · 1 = 0, then the least such positive integer is called the characteristic of R. We will denote the characteristic of R by char(R). If there is no such integer, then R is said to have characteristic 0. The rings Z, Q, and R have characteristic 0. For any n ∈ N, Zn has characteristic n. Note that for any nontrivial ring R with identity—that is, any ring in which 1 = 0—R cannot have characteristic equal to 1 since that would imply that 1 = 1 · 1 = 0, which is a contradiction. Since the ring with just one element is rather uninteresting, we always assume that if R is a ring with identity, then its characteristic is either 0 or finite and greater than one. The next two results present some of the basic properties of the characteristic of a ring. Lemma 2.2.1 Let R be a finite ring with identity 1R . Then R has nonzero characteristic. Proof. Since R is finite, the set {m1R | m ∈ N}
88
Introduction to Applied Algebraic Systems
must also be finite. Hence, there must exist i, j ∈ N with 1 ≤ i < j such that i1R = j1R . Then (j − i)1R = j1R − i1R = 0 . Therefore, the characteristic of R lies between 1 and j − i.
Lemma 2.2.2 Let R be a ring of characteristic n = 0. (i) na = 0, for all a ∈ R. (ii) If R is a field, then n is a prime. Proof. (i) For all a ∈ R, we have na = a + a + · · · + a = 1R a + 1R a + · · · + 1R a n times
= (1R + · · · + 1R )a = (n1R )a = 0R · a = 0R . (ii) Suppose that n is not a prime, say n = rs where 1 < r, s < n. Then 0R = n1R = (rs)1R
= 1R + · · · + 1R = (1R + 1R + · · · + 1R) (1R + 1R + · · · + 1R) rs times r times s times
= (r1R )(s1R ).
By the minimality of n, we must have (r1R ) = 0 and (s1R ) = 0, which, since R is an integral domain, means that (r1R )(s1R ) = 0. Thus we have arrived at a contradiction and n must be a prime. Let S be a ring (respectively, a field) and R ⊆ S. Then R is a subring (respectively, subfield ) if R is a ring (respectively, a field) in its own right with respect to the same operations as in S. Example 2.2.3 2Z Z Q R
is a subring of is a subring of is a subfield of is a subfield of
Z Q R C
Rings and Fields
89
Lemma 2.2.4 Let S be a ring and ∅ = R ⊆ S. (i) R is a subring if and only if R is closed under +, −, and multiplication. (ii) If S is a field then R is a subfield if and only if R is a subring, 1S ∈ R, and also a ∈ R, a = 0 =⇒ a −1 ∈ R , where a −1 denotes the inverse of a in S. Proof. Note that the properties of associativity, distributivity, and the commutativity of addition (and multiplication in part (ii)) are all automatically inherited by R from S. Therefore it only remains to verify the ring conditions (iii) and (iv) to show that R is a ring in part (i), and then to verify the field conditions (viii) and (ix) to show that R is a field in part (ii). We leave this as an exercise. Subrings are usually quite plentiful and easy to find. One way to generate subrings is the following. For any ring R and any m ∈ N, we define the subset mR of R as follows: mR = {ma | a ∈ R}. This is always a subring of R and it turns out that all the subrings of Z and Zn are of this form (see the exercises). There is a very interesting difference in the way that subrings behave in regard to zeros and identities. Let R be a subring of a ring S and let their respective zeros be 0R and 0S . Then 0R = 0S (see the exercises). Now not all rings have identities, but let us assume that S has an identity 1S . This does not force R to have an identity. However, what is surprising is that even if R does have an identity, 1R say, then it is possible for this to be different from 1S —that is, it is possible to have 1R = 1S . For example, let S be the ring of all 2 × 2 matrices of real numbers and let R be the set of real matrices of the form 0 0 0 a where a ∈ R. Then R is a subring of S, both R and S have identities, but
0 1R = 0
0 1 = 1 0
0 = 1S . 1
What is even more surprising is that R is a field, even although S itself is not a field! However, this is only an issue in very unusual circumstances since,
90
Introduction to Applied Algebraic Systems
generally speaking, we are only interested in subfields of fields and in this case there is only one identity involved (see the exercises). Let R and S be rings and ϕ : R → S be a mapping such that ϕ(a + b) = ϕ(a) + ϕ(b) ϕ(ab) = ϕ(a)ϕ(b). Then ϕ is a homomorphism. If ϕ is a homomorphism and a bijection, then ϕ is an isomorphism and the rings R and S are said to be isomorphic. If R = S then ϕ is called an automorphism. If ϕ : R → S is an isomorphism, then so also is ϕ −1 : S → R (see the exercises). Note that although the symbol ϕ is used to denote the Euler ϕ-function, it is also used, as here, to denote more general mappings. This should not result in any confusion because the meaning is usually clear from the context. Example 2.2.5 Let S denote the set of all rational scalar multiples of the identity n × n matrix over Q: S = {cI | c ∈ Q}. Then S is a ring and the mapping ϕ : c −→ cI is an isomorphism of Q onto S. This example gives an isomorphism ϕ : Q → S, where we know both Q and S really well. The real benefits of this idea become more apparent when we understand the structure of S “well” and are able to show that some new ring R is actually isomorphic to S, one that we already know. Theorem 2.2.6 (i) Let F be a field of prime characteristic p. Let 1F be the identity of F and P = {m1F | m ∈ Z}. Then P is a subfield of F and the mapping ϕ : m −→ m1F
(m ∈ Zp )
is an isomorphism of Zp onto P. (ii) Let F be a field of characteristic 0. Let 1F be the identity of F and P = {(m1F )(n1F )−1 | m, n ∈ Z\{0}} ∪ {0}.
Rings and Fields
91
Then P is a subfield of F and the mapping m/n → (m1F )(n1F )−1 for m/n ∈ Q\{0} ϕ: 0 → 0F is an isomorphism of Q onto P. Proof. (i) Clearly P is closed under +, −, and multiplication so that P is a subring. For any m ∈ Z, let q, r ∈ Z be such that m = pq + r
0 ≤ r < p.
Then m1F = q(p1F ) + r1F = q · 0F + r1F = r1F so that P = {0 · 1F , 1 · 1F , . . . , (p − 1) · 1F }.
(2.1)
By the definition of the characteristic we know that 0 · 1F is the only element in this list equal to zero. It follows that these elements must also be distinct because, if 0 ≤ n < m < p and m1F = n1F , then 0F = m · 1F − n · 1F = (m − n) · 1F where 0 < m − n < p, which is a contradiction. Thus the elements of P are exactly those listed in (2.1). From this it is clear that ϕ is well defined and, indeed, a bijection. Now let a ∈ P\{0F }, say a = m1F where 1 ≤ m ≤ p − 1. Since p is a prime, it follows that (m, p) = 1. Consequently, from Corollary 1.3.8 we know that there exist x, y ∈ Z with mx + py = 1, so that (m1F )(x1F ) = (1 − py)1F = 1 · 1F − y(p1F ) = 1F − 0 F = 1F . Therefore, x1F = (m1F )−1 where x1F ∈ P. Hence, P is a subfield. Now let Zp = {0, 1, 2, . . . , p − 1} and consider the mapping ϕ. To see that ϕ respects addition, we consider two cases. Let m, n ∈ Zp . Case (1). As integers, m + n < p. Then ϕ(m + n) = (m + n)1F = m1F + n1F = ϕ(m) + ϕ(n).
92
Introduction to Applied Algebraic Systems
Case (2). As integers, m + n ≥ p. Let m + n = p + r where 0 ≤ r < p. Then m + n = r (in Zp ) so that ϕ(m + n) = ϕ(r) = r1F ϕ(m) + ϕ(n) = m1F + n1F = (m + n)1F = (p + r)1F = p1F + r1F = 0F + r1F
since F has characteristic p
= r1F = ϕ(m + n). Therefore ϕ respects addition. A similar argument will show that ϕ(mn) = ϕ(m)ϕ(n). Thus ϕ is an isomorphism. (ii) An exercise. The subfield of F described in Theorem 2.2.6 is called the prime subfield or the base subfield of F . An important feature of fields of characteristic p is that the arithmetic of sums raised to powers of p is especially simple. Lemma 2.2.7 Let F be a field of characteristic p, a prime. Let n ∈ N and a, b ∈ F . Then n
n
n
(a ± b)p = a p ± b p . Proof. An exercise. (Hint: show that p divides all the coefficients in expansion n of (a ± b)p except for the first and last.) Exercises 2.2 1. What are the characteristics of the following rings? (i) (ii) (iii) (iv) (v) (vi)
Mn (Z). Mn (Zn ). Z × Z. Zn × Zn . Z × Zn . Z4 × Z6 .
2. Let F be a field of characteristic p, a prime. Show that (a ± b)p = a p ± b p , for all a, b ∈ F . 3. Let R be a ring, a ∈ R and m ∈ N. Show that the following are subrings of R: (i) {mx | x ∈ R}. (ii) {x ∈ R | ax = 0}.
Rings and Fields
93
(iii) {x ∈ R | xa = 0}. (iv) {x ∈ R | xy = yx for all y ∈ R}. The subring in (iv) is called the center of R. 4. Let R be any subring of Z, R = {0}. Show that there exists m ∈ N with R = m Z. (Hint: Show that R contains a smallest positive integer.) 5. Let R be any subring of Zn (n ∈ N). Show that there exists m ∈ N with R = m Zn . 6. Let R be a subring of S. Show that 0R = 0S . 7. Let F be a subring of a field G. Show that, if F is a field, then F and G share the same zero, identity, and characteristic. 8. Let R = {0, 5, 10} in Z15 . Show that R is a subfield. What is the identity of R? 9. Find subrings F and G of Z6 that are isomorphic to Z2 and Z3 , respectively. (Describe the isomorphisms explicitly.) What are the identities of F and G? 10. Find an example of a ring R and an element a ∈ R such that the subrings described in parts (ii) and (iii) of Exercise 3 are distinct. 11. Let R be a ring and A be a subset of R. Let S be the intersection of all subrings of R that contain A. Show that S is a subring of R. 12. Let F be a field of characteristic p, a prime. Show that G = {a ∈ F | a p = a} is a subfield of F . 13. Let R and S be rings and ϕ : R → S be an isomorphism. Show that ϕ −1 : S → R is also an isomorphism. 14. Let R and S be rings and ϕ : R → S be an isomorphism. Let a ∈ R. Prove the following: (i) R is commutative ⇐⇒ S is commutative. (ii) R has an identity ⇐⇒ S has an identity. When both have an identity, ϕ(1R ) = 1S . (iii) ϕ(a) = 0 ⇐⇒ a = 0. (iv) a is a zero divisor ⇐⇒ ϕ(a) is a zero divisor. (v) a is invertible ⇐⇒ ϕ(a) is invertible. (vi) b = a −1 ⇐⇒ ϕ(b) = (ϕ(a))−1 .
94
Introduction to Applied Algebraic Systems
15. Let R and S be rings and ϕ : R → S be an isomorphism. Prove the following: (i) R is an integral domain if and only if S is an integral domain. (ii) R is a field if and only if S is a field. 16. Prove that the following pairs of rings are not isomorphic: (i) Z6 and Z8 . (ii) Z3 × Z3 and Z9 . (iii) Z81 and M2 (Z3 ). 17. Show that if m | n and
n m
is not a prime then m Zn has zero divisors.
∗ 18.
Let m, n ∈ N be such that m | n and mn = p is a prime. Show that there exists a ∈ N with 1 ≤ a < p and (ma)2 = ma in Zn if and only if (m, p) = 1.
∗ 19.
Let m, n, and p be as in Exercise 18. Let a ∈ N be such that 1 < a < p and (ma)2 = ma in Zn . Show that ma is the identity for m Zn .
∗ 20.
With m, n, and p as in Exercise 19, show that m Zn is a field.
∗ 21.
Let F be a finite field of characteristic p. Show that the mapping ϕ : a → ap
(a ∈ F )
is an isomorphism of F onto itself. 22. Show that any subring R (R = {0}) of a finite field must be a subfield. 23. Show that, for any prime p, Q( p) = {a + b p | a, b ∈ Q} is a subfield of R. 24. Show that ϕ : a+b p →a−b p √ is an automorphism of Q( p). ∗ 25.
Let R denote the set of matrices of the form
a b
where a, b ∈ R.
−b a
Rings and Fields
95
(i) Show that R is a field with respect to matrix addition and multiplication. (ii) Show that R is isomorphic to (C, +, · ).
2.3 Review of Vector Spaces
It is assumed here that you have been exposed to the basic theory of vector spaces, perhaps in a standard introductory course to linear algebra. This section is only intended to provide a quick review of the basic ideas and to use them to obtain some important facts about finite fields. A vector space over a field F is a set of elements V together with two operations, namely + (addition) and · (scalar multiplication), satisfying the following axioms for all x, y, z ∈ V and all a, b ∈ F : (1) x + y ∈ V . (2) x + y = y + x. (3) x + (y + z) = (x + y) + z. (4) There exists an element 0 ∈ V such that x + 0 = x. (5) There exists an element −x such that x + (−x) = 0. (6) a · x ∈ V . (7) For the identity 1 ∈ F , 1 · x = x. (8) a · (x + y) = a · x + a · y. (9) (a + b) · x = a · x + b · x. (10) (ab) · x = a · (bx). The elements of F are called scalars and the elements of V are called vectors. Example 2.3.1 Some familiar examples of vector spaces are the following: Field Vectors Q Q R Q R C F Q R
Qn Rn Rn Cn Cn Cn Fn Mn (Q) Mn (R)
Dimension n Infinite n Infinite 2n n n n2 n2
96
Introduction to Applied Algebraic Systems
Note that when we consider the vector spaces Qn and Rn over Q, the operations of vector addition and scalar multiplication are the same and the scalars are the same, only the underlying sets of vectors are different. In general, if V and W are vector spaces over the same field F , then we will say that V is a subspace of W if V ⊆ W . So, the vector space Qn over Q is a subspace of the vector space Rn over Q, but it is not a subspace of the vector space Rn over R because the field of scalars is different. Let V be a vector space over a field F and B ⊆ V . Then B is said to be (linearly) dependent if there exist a1 , . . . , an ∈ F , not all of which are zero, and v1 , . . . , vn ∈ B with a1 v1 + a2 v2 + · · · + an vn = 0. If B is not dependent, then it is linearly independent. Put another way, the set B is linearly independent if whenever a1 v1 + a2 v2 + · · · + an vn = 0 for some scalars ai ∈ F and vectors vi ∈ B, then necessarily a1 = a2 = · · · = an = 0. The set B of vectors in V is said to span V if for all v ∈ V there exist c1 , . . . , cn ∈ F and v1 , . . . , vn ∈ B with v = c1 v1 + c2 v2 + · · · + cn vn . Lemma 2.3.2 Let V be a vector space over a field F and B ⊆ V . Then the following conditions are equivalent: (i) B is linearly independent and spans V . (ii) For every v ∈ V there exist unique scalars c1 , c2 , . . . , cn ∈ F and vectors v1 , . . . , vn ∈ B with v = c1 v1 + c2 v2 + · · · + cn vn . If B is a set of vectors in a vector space V satisfying the conditions of Lemma 2.3.2, then B is a basis for V . Theorem 2.3.3 Every vector space has a basis. Theorem 2.3.4 Let V be a vector space over a field F . Let B1 and B2 be two bases for V . Then there exists a bijection from B1 to B2 . Let V be a vector space over a field F . Let B be a basis for V . If B is finite then V is said to be finite dimensional and |B| is called the dimension of V . (By Theorem 2.3.4, the dimension of a vector space does not depend on any particular basis!)
Rings and Fields
97
Let V and W be vector spaces over the same field F . A mapping ϕ : V → W is an isomorphism if it satisfies the following conditions: (i) ϕ is a bijection. (ii) ϕ(u + v) = ϕ(u) + ϕ(v) for all u, v ∈ V . (iii) ϕ(au) = aϕ(u) for all a ∈ F , v ∈ V . If there exists an isomorphism ϕ : V → W , then V and W are isomorphic. Lemma 2.3.5 Let V be a vector space of dimension n over a field F . Then V is isomorphic to F n . We can use Lemma 2.3.5 to tell us something very important about the relative sizes of finite fields and their subfields. Theorem 2.3.6 Let F be a finite field and E be a subfield of F . Then there exists n ∈ N such that |F | = |E|n . Proof. We consider F as a vector space over the field E. Let B be a basis for F over E. Since F is finite, so also is B. Let B = {v1 , . . . , vn }.
Then every element of F can be written uniquely in the form c1 v1 + c2 v2 + · · · + cn vn
with ci ∈ E.
Therefore, the number of distinct elements in F is exactly equal to the number of sequences of the form (c1 , c2 , . . . , cn )
with ci ∈ E.
The number of choices for each ci is |E|, so that the number of such sequences is |E|n . Thus |F | = |E|n . In the previous section we saw that every finite field of charateristic p contains a prime subfield isomorphic to Zp . We can now build on that to obtain an important restriction on the size of any finite field. Corollary 2.3.7 Let F be a finite field of characteristic p. Then there exists n ∈ N with |F | = p n . Proof. In Theorem 2.2.6 we saw that F contains a subfield P with p elements. Applying Theorem 2.3.6, we then find that there exists n ∈ N with |F | = |P|n = p n .
98
Introduction to Applied Algebraic Systems
Essentially the same argument will give us more precise information regarding the relationship between the size of a finite field and the size of any subfield. Corollary 2.3.8 Let F be a finite field of characteristic p and |F | = p n (n ∈ N). Let E be a subfield of F . Then |E| = p m for some integer m such that m | n. Proof. Clearly E must also have characteristic p, since F and E share the same identity. Thus, |E| = p m for some m ∈ N. By Theorem 2.3.6 there exists k ∈ N with |F | = |E|k so that p n = |F | = |E|k = (p m )k = p mk . Consequently, n = mk and m | n.
The next result gives us a picture of the additive structure of a finite field. Corollary 2.3.9 Let F be a field with p n elements. Then as a vector space over Zp , F is isomorphic to Znp . Proof. Clearly F has characteristic p and prime subfield (isomorphic to) Zp . By Theorem 2.3.3, there exists a basis B for F as a vector space over Zp . Since F is finite, B must also be finite so that the dimension of B is |B| = m, say. By Lemma 2.3.5, F is isomorphic (as a vector space) to Zm p . Consequently, n p m = |Zm p | = |F | = p
so that m = n and the result follows.
Of course, one of the first applications in any linear algebra course is the solution of systems of linear equations. All the standard arguments used in that context work equally well over an arbitrary field. In particular, the definitions of matrices and determinants are just as meaningful over an arbitrary field. We conclude our review with one final observation in that regard. Theorem 2.3.10 Let A be an n × n matrix over a field F . Then A is invertible if and only if det(A) = 0. One major question now confronting us is: Where can we find fields with p n elements? The answer to this question lies in the study of polynomials, which we will commence in the next section.
Rings and Fields
99
Exercises 2.3 1. Are the vectors u = (1, −1, 2, 0), v = (−3, 1, 1, −1), and w = (1, 1, 1, 1) independent (i) in R4 (ii) in Z43 ? 2. Do the vectors u = (1, −1, 2, −2), v = (−2, 1, −1, 2), w = (2, −2, 1, −1), and x = (−1, 2, −2, 1) span (i) R4 (ii) Z43 ? 3. Show that V = {(x, y, u, v) ∈ R4 | x + 2y − u + 3v = 0} is a subspace of R4 . Find a basis for V . 4. Extend {(1, 1, 1, 1), (1, 0, 1, 0)} to a basis for R4 . 5. Let V be a vector space over a field F of dimension n. Let A be an independent subset with m < n elements. Prove that there exists a basis B for V with A ⊆ B. 6. Let F be a field. Find a basis for Mn (F ) over F . What is the dimension of Mn (F )? 7. Let
⎡
1 ⎢ 1 A=⎢ ⎣ 1 1
1 1 0 0
1 2 1 0
⎤ −1 1 ⎥ ⎥ 3 ⎦ 1
over Z3 . (i) Find the row rank of A. (ii) Find a basis for the row space. (iii) What is the dimension of the column space? 8. Let A be the matrix in Exercise 7. Solve the system of equations AX = 0 (in Z3 ). 9. Let
⎡
1 ⎣ 1 A= 0 over Z5 . Find A −1 .
0 1 1
⎤ 1 0 ⎦ 1
100 Introduction to Applied Algebraic Systems
10. Let F be either of the subrings of Z6 from Exercise 2.2.9 that are fields. Define addition and “scalar” multiplication as follows: For any u, v ∈ Z6 , a ∈ F, u + v = sum of u and v in Z6 av = product of a and v in Z6 . Is Z6 a vector space over F with respect to these definitions? 11. Find a basis for the vector space of polynomials with rational coefficients as a vector space over Q. 12. Let F be a field and n > 0. Is V = {A ∈ Mn (F ) | det A = 0} a subspace of Mn (F )? √ 13. (i) Show that √p ∈ / Q, for any prime p. (Hint: Try p = 2 first.) (ii) Show that 6 ∈ / Q. √ √ 14. Show that 1, 2, and 3 are independent when R is viewed as a vector space over Q. √ 15. What is the dimension of Q( p) when viewed as a vector space over Q? (See Exercise 2.2.24.)
2.4 Polynomials
We now know a little bit about the size of finite fields (they must have p n elements), but the only examples that we have so far are the fields of the form Zp with exactly p elements. So, we might ask ourselves, are there fields with 22 = 4, 23 = 8, 32 = 9 (and so forth) elements and, if so, what do they look like? It turns out that the key to progress on these questions is the study of polynomials. Let R be a ring. Then a polynomial over R is an expression of the form a(x) = a0 + a1 x + a2 x 2 + · · · + an x n where each ai ∈ R. We must be careful here because there is a real trap. We are conditioned from years of working with calculus and with real numbers to assume that polynomial means a special kind of function. Here we are going to give it a different interpretation. What is the real meaning of x? It is not an “unknown” to enable us to define a function; we are not thinking of a(x) as a function. For example, consider the polynomials x 3 + x 2,
x2 + x
Rings and Fields 101
over Z3 . We want to consider these as distinct polynomials. However, if we wish to do so we can use these expressions to define functions from Z3 to Z3 so that, say, f (a) = a 2 + a for all a ∈ Z3 g (a) = a 3 + a 2 for all a ∈ Z3 . But then it is easily checked that these two functions are the same. This is not a problem that can occur when dealing with polynomials over the rational or real numbers (see Exercise 2.5.10). It can only occur over finite fields. So what do we really mean by x 3 + x 2 and x 2 + x and in what sense can we consider them to be distinct? There is more than one approach that can be used to clarify the distinction between polynomials and functions. Our formal definition of a polynomial over a ring R will be a sequence (a0 , a1 , . . .) of elements from R, at most a finite number of which are nonzero. We define addition and multiplication of polynomials over R by (a0 , a1 , a2 , . . . , an , . . .) + (b0 , b1 , . . . , bn , . . .) = (a0 + b0 , a1 + b1 , a2 + b2 , . . . , an + bn , . . .) (a0 , a1 , a2 , . . . , an , . . .) · (b0 , b1 , b2 , . . . , bn , . . .) = (a0 b0 , a0 b1 + a1 b0 , a0 b2 + a1 b1 + a2 b0 , . . .). Clearly, the result of addition or multiplication is another sequence with, at most, a finite number of nonzero elements. These rules of addition and multiplication exactly parallel our customary understanding of addition and multiplication of polynomials as expressions in a variable: (a0 + a1 x + a2 x 2 + · · · ) + (b0 + b1 x + b2 x 2 + · · · ) = (a0 + b0 ) + (a1 + b1 )x + (a2 + b2 )x 2 + · · · and (a0 + a1 x + a2 x 2 + · · · )(b0 + b1 x + b2 x 2 + · · · ) = a0 b0 + (a0 b1 + a1 b0 )x + (a0 b2 + a1 b1 + a2 b0 )x 2 + · · · . Since the familiar notation for polynomials is more convenient in calculations, we revert back to that notation while keeping in mind that a polynomial is really a sequence (and not a function). We have the following
102 Introduction to Applied Algebraic Systems
correspondence: a0 + a1 x + a2 x 2 + · · · + an x n ↔ (a0 , a1 , a2 , . . . , an , 0, 0, . . .) 0 ↔ (0, 0, 0, . . .) a ↔ (a, 0, 0, . . .) x ↔ (0, 1, 0, . . .). For any commutative ring R with an identity, we denote by R[x] the set of polynomials (in x) over R—that is, with coefficients in R. With respect to the addition and multiplication in R[x] introduced above, R[x] is itself a commutative ring with identity and is called the ring of polynomials over R. For the polynomial f (x) = an x n + an−1 x n−1 + · · · + a0 with an = 0, we call ai the ith coefficient and an the leading coefficient. We call n the degree of f (x) and we write deg(f (x)) for the degree of f (x). If deg(f (x)) = 0, then f (x) = a0 ∈ F is called a constant. A polynomial of degree 1 is called linear. In other words, we adopt all the language concerning polynomials that is familiar to us. Note that no degree has been assigned to the zero polynomial. In some circumstances it is convenient to assign a special value, such as minus infinity or −1, to the degree of the zero polynomial and accompany it with some special rules as to how to combine it with other degrees. Here we will simply treat the zero polynomial either as a constant with degree zero or as a special case. If an = 1 then f (x) is monic. We identify x 0 with 1. Lemma 2.4.1 Let R be an integral domain and f (x) = am x m + · · · + a0 n
g (x) = bn x + · · · + b0
(am = 0) (bn = 0)
be elements of R[x]. Then deg(f (x)g (x)) = m + n and the leading coefficient of f (x)g (x) is am bn . Proof. An exercise.
The next result reveals that Z and F [x] have something in common. It is something that we will take advantage of shortly. Corollary 2.4.2 Let R be an integral domain. Then R[x] is also an integral domain.
Rings and Fields 103
Proof. Let f (x), g (x) ∈ R[x]\{0}. If f (x) and g (x) are both constants—that is, f (x), g (x) ∈ R—then f (x)g (x) = 0 since R is an integral domain. If either deg(f (x)) ≥ 1 or deg(g (x)) ≥ 1, then, by Lemma 2.4.1, deg(f (x)g (x)) = deg(f (x)) + deg(g (x)) ≥ 1 so that f (x)g (x) = 0. The result follows. For the most part we will be interested in the ring F [x] of polynomials over a field, but also in the ring Z [x], which is why the results pertaining to integral domains will be important. However, henceforth in this chapter, if not otherwise mentioned, F will denote a field. Theorem 2.4.3 (Division Algorithm for Polynomials) Let R be a ring with identity and let f (x), g (x) ∈ R[x] where g (x) = 0 and the leading coefficient of g (x) is invertible in R. Then there exist unique polynomials q(x) and r(x) in R[x] such that f (x) = g (x)q(x) + r(x)
(2.2)
where either r(x) = 0 or deg(r(x)) < deg(g (x)). Note. If R is, in fact, a field, then the hypothesis that the leading coefficient of g (x) be invertible is automatically satisfied. Proof. We begin by showing the existence of polynomials q(x) and r(x) satisfying (2.2). If deg(g (x)) = 0, then g (x) = a is a nonzero constant in R. By hypothesis, a has an inverse and f (x) = aa −1 f (x) = g (x)(a −1 f (x)) + 0 where q(x) = a −1 f (x), r(x) = 0 satisfy (2.2). So now suppose that deg(g (x)) ≥ 1. Let P denote the set of all polynomials of the form f (x) − g (x)q(x)
(q(x) ∈ R[x]).
The degrees of all the polynomials in P gives us a set of nonnegative integers. By the well-ordering principle, this set has a smallest element, k say. Let r(x) = f (x) − g (x)q(x) be such a polynomial of degree k. We now want to show that deg(r(x)) < deg(g (x)). Suppose that k = deg(r(x)) ≥ deg(g (x)). Let deg(g (x)) = m and let g (x) = am x m + · · · + a0 r(x) = bk x k + · · · + b0
(am = 0) (bk = 0).
104 Introduction to Applied Algebraic Systems
Then am has an inverse in R. So let −1 k−m r1 (x) = r(x) − bk am x g (x).
(2.3)
−1 x k−m g (x) will cancel, it follows that Since the terms in x k from r(x) and bk am deg(r1 (x)) < deg(r(x)). Also, −1 k−m x g (x) r1 (x) = r(x) − bk am −1 k−m = f (x) − g (x)q(x) − bk am g (x) x −1 k−m = f (x) − g (x)[q(x) + bk am x ]
∈ P. This contradicts the choice of r(x) as a polynomial with least degree in P. Therefore, we must have deg(r(x)) < deg(g (x)), and so q(x) and r(x) do indeed satisfy (2.2). It remains for us to establish the uniqueness of the polynomials q(x) and r(x). Let q1 (x) and r1 (x) also be polynomials satisfying (2.2)—that is, f (x) = g (x)q1 (x) + r1 (x) and deg(r1 (x)) < deg(g (x)). Then 0 = f (x) − f (x) = g (x)q(x) + r(x) − g (x)q1 (x) − r1 (x) = g (x)(q(x) − q1 (x)) + r(x) − r1 (x) so that g (x)(q(x) − q1 (x)) = r1 (x) − r(x).
(2.4)
If q(x) − q1 (x) = 0, then, since the leading coefficient of g (x) is invertible, the degree of the left-hand side of (2.4) is at least as great as the degree of g (x) whereas deg(r1 (x) − r(x)) < deg(g (x)). This is a contradiction. Therefore, q(x) − q1 (x) = 0 so that r1 (x) − r(x) = 0. Hence q(x) = q1 (x) and r(x) = r1 (x), and we have established uniqueness. The division algorithm has many useful applications concerning roots and factors. Let f (x), g (x) ∈ F [x]. If there exists a polynomial h(x) ∈ F [x] such that f (x) = g (x)h(x)
Rings and Fields 105
then g (x) is a divisor or factor of f (x) (in F [x]) and we say that g (x) divides f (x) and write g (x) | f (x). For f (x), g (x), d(x) ∈ F [x], we say that d(x) is a greatest common divisor (gcd) of f (x) and g (x) if (i) d(x) | f (x), g (x) (ii) if c(x) | f (x), g (x), then c(x) | d(x). Now, for every a ∈ F ∗ we have aa −1 = 1. Hence, f (x) = d(x)d (x) g (x) = d(x)d (x)
=⇒
f (x) = ad(x)(a −1 d (x)) g (x) = ad(x)(a −1 d (x))
Thus, if d(x) is a greatest common divisor of f (x) and g (x), then any nonzero scalar multiple ad(x) (a = 0) is also a greatest common divisor. Thus, a greatest common divisor is not unique. For example, if f (x) = (x − 2)(x − 3) and g (x) = (x − 2)(2x + 3) in Q[x], then clearly x − 2 | f (x) and g (x). But we also have
3 1 x− f (x) = (5x − 10) 5 5
2 3 and g (x) = (5x − 10) x+ 5 5
so that 5x − 10 = 5(x − 2) also divides f (x) and g (x). However, if we impose one further condition then we obtain uniqueness. Theorem 2.4.4 (Euclidean Algorithm for Polynomials) Let F be a field and f (x), g (x) be nonzero polynomials in F[x]. Then f (x) and g (x) have a unique monic greatest common divisor d(x). Moreover, there exist polynomials λ(x), µ(x) ∈ F [x] such that d(x) = λ(x)f (x) + µ(x)g (x).
(2.5)
Proof. The proof of the existence of a greatest common divisor d(x) = d0 + d1 x + · · · dn x n
(dn = 0)
for f (x) and g (x) follows from the division algorithm for polynomials (Theorem 2.4.3) exactly as the proof of the corresponding result (Theorem 1.3.4) for integers follows from the division algorithm for integers (Lemma 1.3.2). If dn = 1, then dn−1 d(x) is also a greatest common divisor and is monic. So let us assume that d(x) is a monic greatest common divisor.
106 Introduction to Applied Algebraic Systems
Now let c(x) be another monic greatest common divisor. Then d(x) | c(x) and c(x) | d(x) so that there exist polynomials a(x), b(x) with c(x) = a(x)d(x),
d(x) = b(x)c(x).
Hence, deg(c(x)) ≥ deg(d(x)) and deg(d(x)) ≥ deg(c(x)), which implies that deg(c(x)) = deg(d(x)). Consequently, deg(a(x)) = deg(b(x)) = 0 so that a(x) and b(x) are constants. Since c(x) and d(x) are monic, a(x) = b(x) = 1. Thus, c(x) = d(x) and there is only one monic greatest common divisor of f (x) and g (x), and we have established the required uniqueness. The proof of the existence of polynomials λ(x) and µ(x) to satisfy (2.5) follows exactly as for the corresponding part of Theorem 1.3.4, expressing the greatest common divisor of two integers a, b in the form ax + by, where x, y ∈ Z. Henceforth, by the greatest common divisor of two polynomials f (x) and g (x) in F [x], we mean the unique monic greatest common divisor of f (x) and g (x). When it comes to calculating the greatest common divisor of two polynomials, the extended Euclidean algorithm works exactly as before. Example 2.4.5 Find the gcd of f (x) = x 5 + 4x 3 + 4x 2 + 3 and g (x) = x 2 + 3x + 2 where f (x), g (x) ∈ Z5 [x]. We apply the division algorithm by performing a long division. (Note that the coefficients are always calculated in Z5 .) x 3 +2x 2 +x + 2 x 2 + 3x + 2 x 5 +0.x 4 +4.x 3 +4.x 2 +0.x + 3 x 5 +3x 4 +2x 3 2x 4 +2x 3 +4x 2 2x 4 +x 3 +4x 2 x 3 +0 · x 2 +0 · x x 3 +3x 2 +2x 2x 2 +3x + 3 2x 2 +x + 4 2x + 4 Thus, f (x) = g (x)(x 3 + 2x 2 + x + 2) + (2x + 4).
Rings and Fields 107
Now we divide g (x) by 2x + 4:
2x+4
3x+3
x 2 +3x +2
x 2 +2x x+2 x+2 0 Then g (x) = (2x + 4)(3x + 3) so that f (x) = g (x)(x 3 + 2x 2 + x + 2) + (2x + 4) g (x) = (2x + 4)(3x + 3) and we find that 2x + 4 is a greatest common divisor for f (x) and g (x). However, this is not a monic polynomial, so we do not refer to it as the greatest common divisor. We have 2x + 4 = 2(x + 2) so that x + 2 is a monic greatest common divisor and x + 2 = gcd (f (x), g (x)). Therefore, remembering that our coefficients are drawn from Z5 , we have gcd(f (x), g (x)) = x + 2 = 3 × 2 × (x + 2) = 3 × (2x + 4) = 3 × (f (x) − (x 3 + 2x 2 + x + 2)g (x)) = 3f (x) − 3(x 3 + 2x 2 + x + 2)g (x) = 3f (x) + 2(x 3 + 2x 2 + x + 2)g (x). Alternatively, the extended Euclidean algorithm then leads to the following table: i 0 1 2 3
qi — — x 3 + 2x 2 + x + 2 3x + 3
ri x 5 + 4x 3 + 4x 2 + 3 x 2 + 3x + 2 2x + 4 0
xi 1 0 1
yi 0 1 −(x 3 + 2x 2 + x + 2)
From the table we conclude that 2x + 4 = 1 · f (x) − (x 3 + 2x 2 + x + 2)g (x).
.
108 Introduction to Applied Algebraic Systems
However, 2x + 4 is not a monic polynomial so we will obtain the greatest common divisor if we multiply this equation by 3 to obtain x + 2 = 3(2x + 4) = 3 · f (x) + (2x 3 + 4x 2 + 2x + 4)g (x). Exercises 2.4 1. Compute the sum and product of the following polynomials: (i) x 3 + 2x 2 + 2 and 2x 2 + x + 1 in Z3 [x]. (ii) 2x 3 + 4x 2 + 3 and x 3 + 5x 2 + 4 in Z6 [x]. 2. Show that the following pairs of polynomials induce the same mappings: (i) (ii) (iii) (iv)
x 4 + x 3 + 1, x 2 + x + 1 on Z3 . x 5 − x, 0 on Z5 . x p − x, 0 on Zp . x 2 + 1, x 4 + 1 on Z4 .
3. Show that 6x + 1 is invertible in Z12 [x]. 4. Find a nonconstant invertible polynomial in Z4 [x]. 5. Show that if n ∈ N and n is not a prime, then Zn [x] is not an integral domain. 6. Let F be a field and f (x) ∈ F [x]. Show that f (x) is invertible in F [x] if and only if f (x) is a nonzero constant polynomial. 7. Show that in Z3 [x], (x + 1)3 = x 3 + 1. 8. Show that in Zp [x], where p is a prime, (x + 1)p = x p + 1. 9. Show that, if n > 1 and n is not a prime, then in Zn [x], (x + 1)n = x n + 1. 10. Show that if p is a prime and fi (x) ∈ Zp [x], i = 1, 2, . . . , n, then (f1 (x) + · · · + fn (x))p = f1 (x)p + f2 (x)p + · · · + fn (x)p . 11. Let f (x) = an x n + an−1 x n−1 + · · · + a0 ∈ Zp [x] where p is a prime. Show that (f (x))p = f (x p ).
Rings and Fields 109
12. Let f (x) = x 4 + 2x 3 + 1 and g (x) = x 2 + x + 1. Find the quotient and remainder when f (x) is divided by g (x) as polynomials in (i) Q[x] (ii) Z3 [x] (iii) Z5 [x]. 13. With f (x) and g (x) as in Exercise 12, find gcd(f (x), g (x)) in (i) Q[x] (ii) Z3 [x] (iii) Z5 [x]. ∗ 14.
With f (x) and g (x) as in Exercise 13, find polynomials λ(x), µ(x) for which gcd(f (x), g (x)) = λ(x)f (x) + µ(x)g (x) in (i) Q[x] (ii) Z3 [x] (iii) Z5 [x].
15. Show that if R and S are isomorphic rings, then R[x] is isomorphic to S[x].
2.5 Polynomial Evaluation and Interpolation
For any ring R, f (x) ∈ R[x] and a ∈ R, we can evaluate the polynomial f (x) at a by substituting the element a for every occurrence of x in f (x) and calculating the resulting expression in R. We denote the result by f (a). For example, if f (x) = 2x 2 + x + 1 ∈ Q[x] and a = 3, then f (3) = 2 · 9 + 3 + 1 = 22 whereas if f (x) = 2x 2 + x + 1 ∈ Z5 [x] and a = 3, then f (3) = 2 · 9 + 3 + 1 = 22 ≡ 2 mod 5. In other words, associated with each polynomial f (x) ∈ R[x] there is a function f (x) : a −→ f (a) (a ∈ R) that evaluates the polynomial at each point a ∈ R. As we saw in the previous section, different polynomials may yield the same function. If f (x) ∈ R[x] and a ∈ R is such that f (a) = 0, then a is a zero or root of f (x) in R.
110 Introduction to Applied Algebraic Systems
Lemma 2.5.1 Let R be an integral domain, a, a1 , . . . , am be distinct elements in R, and f (x) ∈ R[x]. Then (i) a is a zero for f (x) ⇐⇒ x − a is a factor of f (x) (ii) a1 , . . . , am are zeros for f (x) ⇐⇒ (x − a1 )(x − a2 ) · · · (x − am ) is a factor of f (x). Proof. (i) First suppose that f (a) = 0. Now divide f (x) by x − a. By the division algorithm for polynomials, there exist polynomials q(x) and r(x) in R[x] such that f (x) = (x − a)q(x) + r(x) where either r(x) = 0 or deg(r(x)) < deg(x − a) = 1. Consequently, r(x) ∈ R—say, r(x) = c ∈ R—and f (x) = (x − a)q(x) + c. Evaluating f (x) at a, we find that 0 = f (a) = (a − a)q(a) + c = 0 · q(a) + c = c. Thus, f (x) = (x − a)q(x) and x − a is a factor of f (x). Conversely, now suppose that x −a divides f (x)—say, f (x) = (x −a)q(x) for some q(x) ∈ R[x]. Then f (a) = (a − a)q(a) = 0 · q(a) = 0 so that a is a root of f (x). (ii) We argue by induction. We know from the first part that the claim holds when m = 1. So assume that m > 1. Let a1 , . . . , am be zeros for f (x). By the first part, there exists a polynomial q(x) ∈ R[x] such that f (x) = (x − a1 )q(x) and, necessarily, deg(q(x)) < deg(f (x)). Then, for 2 ≤ i ≤ m, 0 = f (ai ) = (ai − a1 )q(ai ).
Rings and Fields 111
Since the ai are all distinct, we have ai − a1 = 0 provided that i = 1. Since R is an integral domain, we must have q(a) = 0 for a = a2 , a3 , . . . , ak . By the induction hypothesis, this implies that q(x) = (x − a2 ) · · · (x − am )q2 (x) for some polynomial q2 (x). Thus, f (x) = (x − a1 )(x − a2 ) · · · (x − am )q2 (x) as required. Conversely, it is clear that if (x − a1 )(x − a2 ) · · · (x − am ) divides f (x), then the elements a1 , a2 · · · am are all zeros of f (x). Lemma 2.5.2 Let F be a field and f (x) ∈ F [x] be a nonzero polynomial of degree n. Then f (x) can have, at most, n distinct zeros in F . Proof. Let f (x) have distinct zeros a1 , a2 · · · am . By Lemma 2.5.1, it follows that there exists a polynomial q(x) ∈ F [x] such that f (x) = (x − a1 )(x − a2 ) · · · (x − am )q(x) from which it follows that the degree of f (x) is at least m. In other words, m ≤ n as required. Exercise 2 in this section shows that Lemma 2.5.2 is not necessarily true if F is not a field. For any complex number z = a + ib, the number z¯ = a − ib is the complex conjugate of z. Note that z¯ = z if and only if z ∈ R. There is a bond between z and z¯ that is of particular interest to us. Lemma 2.5.3 The mapping ϕ : a + ib → a − ib
(a + ib ∈ C)
is an automorphism of C. Moreover, for any complex number z, we have that ϕ(z) = z if and only if z is a real number.
112 Introduction to Applied Algebraic Systems
Proof. Clearly φ is a bijection. Let a + ib, c + id ∈ C. Then ϕ((a + ib) + (c + id)) = ϕ(a + c + i(b + d)) = a + c − i(b + d) = (a − ib) + (c − id) = ϕ(a + ib) + ϕ(c + id) and ϕ((a + ib) · (c + id)) = ϕ(ac − bd + i(ad + bc)) = ac − bd − i(ad + bc) = (a − ib) · (c − id) = ϕ(a + ib) · ϕ(c + id). Therefore, φ respects addition and multiplication and so φ is an isomorphism. The final claim in the Lemma is clear. This will enable us to establish the important fact that the complex roots of a polynomial with real coefficients occur in conjugate pairs. Theorem 2.5.4 Let f (x) ∈ R[x] and z ∈ C be a root of f (x). Then z¯ is also a root of f (x). Proof. Let f (x) = a0 + a1 x + · · · + an x n where ai ∈ R. Let ϕ : C → C be defined as in Lemma 2.5.3. Note that ϕ(a) = a for all a ∈ R. Then 0 = f (z) = a0 + a1 z + · · · + an z n so that 0 = ϕ (0) = ϕ (a0 ) + ϕ (a1 ) ϕ (z) + · · · + ϕ (an ) ϕ (z)n = a0 + a1 z¯ + · · · + an z¯ n = f (¯z ) . Thus, z¯ is also a root of f (x), as required.
Of course, Theorem 2.5.4 is telling us something new only if z ∈ / R. If z ∈ R, then ϕ (z) = z¯ = z and Theorem 2.5.4 yields no information. One simple consequence of Theorem 2.5.4 is as follows.
Rings and Fields 113
Corollary 2.5.5 Let f (x) ∈ R[x] and deg(f (x)) = 3. Then either f (x) has three real roots (and so factors completely over R) or else f (x) has one real root and two distinct complex roots of the form z, z¯ . In the previous discussion, we looked at how a polynomial can assume the value zero. From time to time, we are interested in constructing polynomials that assume certain assigned values, not necessarily just zero, for certain values of the variable x. For instance, we may be interested in finding, or at least in knowing of the existence of, a polynomial that will yield the values y1 , y2 , . . . , yn when x assumes the distinct values x1 , x2 , . . . , xn , respectively. Another way of describing this would be to say that we want to find a polynomial f (x) ∈ F [x] for which the graph {(x, f (x)) | x ∈ F } passes through the points (xi , yi ), 1 ≤ i ≤ n. This process is called interpolation or polynomial interpolation. We describe two ways in which this can be accomplished: Lagrange interpolation and Newton interpolation. Lagrange Interpolation. Let f (x) =
(x − x2 )(x − x3 ) · · · (x − xn ) · y1 (x1 − x2 )(x1 − x3 ) · · · (x1 − xn ) (x − x1 )(x − x3 ) · · · (x − xn ) · y2 + . . . . + (x2 − x1 )(x2 − x3 ) · · · (x2 − xn )
We can write this a bit more compactly if we introduce the polynomials Li (x) =
(x − xj ) j=i
and then the Lagrange formula can be written as f (x) =
Li (x) yi . Li (xi ) i
Newton Interpolation. In this case, we define the polynomial that we want inductively. Let f1 (x) = y1 f2 (x) = f1 (x) + (y2 − y1 )
(x − x1 ) (x2 − x1 )
... = ... fn (x) = fn−1 (x) + (yn − fn−1 (xn ))
(x − x1 ) · · · (x − xn−1 ) . (xn − x1 ) · · · (xn − xn−1 )
114 Introduction to Applied Algebraic Systems
We leave it as an exercise for you to verify that these polynomials do indeed assume the values required at the appropriate places.
Example 2.5.6 Using both the Lagrange and Newton interpolation methods, find a polynomial f (x) ∈ Z5 that has the values 1, 0, 3 at the points 0, 1, 3, respectively. Lagrange’s method yields: f (x) =
(x − 0)(x − 2) (x − 0)(x − 1) (x − 1)(x − 2) ·1+ ·0+ ·3 (0 − 1)(0 − 2) (1 − 0)(1 − 2) (2 − 0)(2 − 1)
= 3(x 2 − 3x + 2) + 3 · 3x(x − 1) = 2x 2 + 2x + 1. Newton’s method yields: f1 (x) = 1 f2 (x) = f1 (x) + (y2 − f1 (1))
(x − 0) (1 − 0)
= 1 + (0 − 1)x = 1 − x f3 (x) = f2 (x) + (y3 − f2 (2))
(x − 0)(x − 1) (2 − 0)(2 − 1)
= 1 − x + 4 · 3x(x − 1) = 2x 2 + 2x + 1. As we will see in a moment, the fact that the methods produce the same polynomial in this example is no accident. One attraction of Newton’s method over Lagrange’s method is that if you already have a polynomial that has the desired values y1 , . . . , yn at n points x1 , . . . , xn and want a polynomial that has these values at these points and a value of yn+1 at an additional point xn+1 , then with Newton’s method it is only necessary to calculate one additional term whereas with Lagrange’s method it is necessary to recalculate the whole polynomial. Note that with both the Newton and Lagrange methods applied to n values, we obtain a polynomial of degree at most n − 1. This bound on the degree has a very nice consequence. Theorem 2.5.7 Let xi , yi , 1 ≤ i ≤ n be elements of a field F where the xi are distinct. Then there exists a unique polynomial f (x) ∈ F [x] of degree n − 1 such that yi = f (xi ), 1 ≤ i ≤ n.
Rings and Fields 115
Proof. We can use either the Lagrange or Newton form of interpolation to guarantee the existence of a polynomial with the desired properties. Now suppose that that f (x), g (x) ∈ F [x] both satisfy the requirements— that is, f (xi ) = g (xi ) = yi for all 1 ≤ i ≤ n. Let h(x) = f (x) − g (x). Then, h(xi ) = f (xi ) − g (xi ) = yi − yi = 0. By Lemma 2.5.1, it follows that (x − xi ) divides h(x) for all 1 ≤ i ≤ n. Hence, (x − x1 ) · · · (x − xn ) | h(x). However, (x − x1 ) · · · (x − xn ) is a polynomial of degree n, so that the only way that it can divide h(x), which is at most of degree n − 1, is if h(x) = 0. Thus, f (x) − g (x) = 0 and f (x) = g (x). Thus there is a unique polynomial with the required properties. Exercises 2.5 Throughout the exercises we abide by our convention that F denotes a field. 1. Let a ∈ F and f (x) ∈ F [x]. Show that f (a) is the remainder when f (x) is divided by x − a. 2. Find all zeros of x 2 + 2x in Z12 . Why does this not contradict Lemma 2.5.2? 3. Let p be a prime number. Show that there exist infinitely many f (x) ∈ Zp [x] such that f (a) = 0 for all a ∈ Zp . 4. Show that for every function g : Z2 → Z2 , there exists a polynomial f (x) ∈ Z2 [x] such that g (a) = f (a) for all a ∈ Z2 . 5. Repeat Exercise 4 but with an arbitrary finite field F in place of Z2 . 6. Using both Lagrange and Newton interpolation, find a polynomial f (x) ∈ Z7 [x] that assumes the values 2, 1, 0 when x = 0, 1, 2, respectively. 7. Repeat the previous exercise over the field Q. 8. Let f (x), g (x) ∈ F [x] both assume the values y1 , y2 , . . . , ym at the distinct points x1 , x2 , . . . , xm , respectively. Show that there exists a polynomial q(x) ∈ F [x] such that f (x) = g (x) + (x − x1 ) · · · (x − xm )q(x).
116 Introduction to Applied Algebraic Systems
9. Let F be an infinite field and f (x) ∈ F [x] be such that f (a) = 0 for all a ∈ F . Show that f (x) = 0. 10. Let F be an infinite field and f (x), g (x) ∈ F [x] be such that f (a) = g (a) for all a ∈ F . Show that f (x) = g (x). 11. Let x1 , . . . , xn be distinct elements in F . Prove that the n Lagrange Polynomials Li (x) constitute a basis in F [x] for the subspace of polynomials of degree, at most, n − 1.
2.6 Irreducible Polynomials
We now come to a concept for polynomials that strongly resembles the concept of a prime number. Throughout this section, F denotes a field. Since f (x) = a −1 (a f (x)) for every f (x) ∈ F [x], a ∈ F ∗ , we see that every polynomial can be factored into two polynomials. The crucial point to observe in this factorization is that af (x) has the same degree as f (x). Let R be an integral domain and f (x) ∈ R[x] be a nonconstant polynomial—that is, deg(f (x)) ≥ 1. Then f (x) is said to be reducible if there exist polynomials g (x), h(x) ∈ R[x], neither of which is a constant such that f (x) = g (x)h(x). A polynomial that is not reducible is said to be irreducible. In other words, a polynomial f (x) ∈ R[x] with deg(f (x)) ≥ 1 is said to be irreducible if it satisfies the following condition: f (x) = g (x)h(x), where g (x), h(x) ∈ R[x], =⇒ either g (x) or h(x) is a constant. For example, the polynomial x 2 + 1 is irreducible over Z. To see this, suppose that x 2 + 1 = (ax + b)(cx + d) where a, b, c, d ∈ Z. Then, equating coefficients, we must have ac = 1 so that a, c = ±1. Without loss of generality, we may assume that a = 1. Hence, substituting x = −b we obtain b 2 + 1 = 0, which is clearly impossible. On the other hand, x 4 + x 3 + x + 1 = (x + 1)(x 3 + 1) in Z[x], so this polynomial is reducible.
Rings and Fields 117
Lemma 2.6.1 Let f (x), g (x) ∈ F [x] and f (x) be monic and irreducible. Then, gcd (f (x), g (x)) = 1 or f (x). Proof. Let d(x) = gcd (f (x), g (x)) and h(x) ∈ F [x] be such that f (x) = d(x)h(x). By the hypothesis on f (x), either d(x) or h(x) must be a constant. If d(x) is a constant then d(x) = 1, since d(x) is monic. If h(x) is a constant, then f (x) and d(x) have the same degree and are both monic. Consequently, h(x) = 1 so that d(x) = f (x). Clearly, all polynomials of degree 1 are irreducible. For degrees 2 and 3, there is a very useful test. Suppose that f (x) ∈ F [x] is reducible of degree 2 or 3. This means that there exist polynomials g (x), h(x) ∈ F [x], neither of which is a constant, such that f (x) = g (x)h(x). Then, deg (f (x)) = deg (g (x)) + deg (h(x)). Consequently, since deg(f (x)) = 2 or 3, either deg (g (x)) = 1
or
deg (h(x)) = 1.
Suppose that deg(g (x)) = 1. Then, for some a, b ∈ F , with a = 0, g (x) = ax + b = a(x + a −1 b) = a(x − c) where c = −a −1 b. Thus we find that f (x) is divisible by a polynomial of the form x − c so that, by Lemma 2.5.1, f (x) has a root c in F . We have, therefore, established the direct part of the next result. Lemma 2.6.2 Let f (x) ∈ F [x] and deg(f (x)) = 2 or 3. Then f (x) is reducible if and only if f (x) has a zero in F . Equivalently, f (x) is irreducible if and only if f (x) has no zeros in F .
118 Introduction to Applied Algebraic Systems
Proof. It only remains to show that if f (x) has a zero in F , then it is reducible, but this follows immediately from Lemma 2.5.1. Example 2.6.3 The following polynomials are irreducible over Z2 : 1 + x + x 2,
1 + x + x 3,
1 + x 2 + x 3.
Consider f (x) = 1 + x 2 + x 3 . We have f (0) = 1,
f (1) = 3
so that f (x) has no zero in Z2 . By Lemma 2.6.2, f (x) is irreducible. Similar arguments apply to the other polynomials. Example 2.6.4 The following polynomials are irreducible over Z3 : 1 + x 2 , 1 + x + 2x 2 , 1 + 2x + 2x 2 . The existence of irreducible polynomials of various degrees is extremely important to the study of finite fields. Theorem 2.6.5 Let F be a finite field and n ∈ N. Then there exists an irreducible monic polynomial in F [x] of degree n. Proof. The number of monic polynomials of degree n in F [x]—that is, polynomials of the form a0 + a1 x + · · · + an−1 x n−1 + x n —is simply |F |n , since each of the coefficients a0 , . . . , an−1 can be chosen arbitrarily. Any reducible monic polynomial f (x) ∈ F [x] of degree n can be written as a product of two or more irreducible polynomials of degree less than n. So the basic idea is to calculate inductively the number of irreducible monic polynomials of each degree and from that calculate the number of reducible monic polynomials of degree n with the outcome being less than |F |n . For illustrative purposes here, we will just deal with the smallest case when n = 2. A proof of the general claim using a different approach can be found in Corollary 2.12.10. The total number of monic polynomials of degree 2 is just |F |2 . Any reducible monic polynomial f (x) of degree 2 must factor as (x + a)(x + b) for some a, b ∈ F . The number of ways in which this can happen is
|F | 2
|F |
if
a = b
if
a = b.
Rings and Fields 119
Therefore, the number of reducible monic polynomials of degree 2 is |F | + |F | 2 so that the number of irreducible monic polynomials of degree 2 is |F | |F | 2 |F | − + |F | = > 0. 2 2 Thus, there do exist irreducible polynomials of degree 2 over any finite field. Theorem 2.6.6 Let f (x) ∈ F [x]. Then f (x) can be written as a product of irreducible polynomials. If f (x) = g1 (x) · · · gr (x) = h1 (x) · · · hs (x) where the polynomials gi (x), hi (x) are irreducible, then r = s and the order of the factors may be rearranged so that for all i, 1 ≤ i ≤ r, there exists ai ∈ F ∗ with gi (x) = ai hi (x). Proof. The proof is parallel to that of the corresponding result for integers (Theorem 1.4.2). See the exercises for more details. The following fact is very useful when factorizing polynomials with integer coefficients. Proposition 2.6.7 Let f (x) ∈ Z[x]. If f (x) is reducible in Q[x], then it is reducible in Z[x]. Proof. Let f (x) = g1 (x)h1 (x) where g1 (x), h1 (x) ∈ Q[x] and deg (g1 (x)), deg (h1 (x)) ≥ 1. Let a (respectively, b) be the product of all the denominators of the coefficients in g1 (x) (respectively, h1 (x)). Let g (x) = a g1 (x) and h(x) = b h1 (x). Then f (x) =
1 g (x)h(x) ab
where g (x), h(x) ∈ Z[x]. Let p be a prime that divides ab and let g (x) = am x m + · · · + a0 h(x) = bn x n + · · · + b0 . Since f (x) ∈ Z[x], it follows that p divides every coefficient of g (x)h(x). In other words, if we consider g (x) and h(x) as polynomials in Zp [x], we have
120 Introduction to Applied Algebraic Systems
g (x)h(x) = 0. But by Corollary 2.4.2, Zp [x] is an integral domain. Therefore, either g (x) = 0 or h(x) = 0 in Zp [x]. Thus, either p divides all the coefficients of g (x) or else p divides all the coefficients of h(x). Without loss of generality, we may assume the former and may write 1 1 g (x) h(x) f (x) = (ab)/p p where p1 g (x), h(x) ∈ Z[x]. Repeating this argument sufficiently often, we will finally divide the whole of ab into g (x)h(x) and express f (x) as a product of two polynomials with integer coefficients. One general application of the preceding result is the following famous criterion for irreducibility in Q[x]. Theorem 2.6.8 (Eisenstein’s Criterion) Let p be a prime and f (x) = an x n + an−1 x n−1 + · · · + a0 ∈ Z[x] be such that (i) p | an (ii) p | an−1 , . . . , a0 (iii) p 2 | a0 . Then, f (x) is irreducible in Q[x]. Proof. Let f (x) = g (x)h(x) where g (x) = bs x s + bs−1 x s−1 + · · · + b0 ∈ Q[x] h(x) = ct x t + ct −1 x t −1 + · · · + c0 ∈ Q[x] and s, t ≥ 1. By Proposition 2.6.7, we may assume that g (x), h(x) ∈ Z[x]. Since a0 = b0 c0 and p 2 does not divide a0 , it follows that p does not divide both b0 and c0 . So we may assume that p | c0 and p does not divide b0 . Now an = bs ct so that p does not divide ct . Let k be the smallest integer such that p | c0 , p | c1 , . . . , p | ck−1 , p | ck . From the preceding remarks, we know that 0 < k ≤ t . Then ak = b0 ck + b1 ck−1 + · · · + bk c0 ≡ b0 ck mod p so that p does not divide ak . By the hypothesis of the theorem, this means that k = n, which implies that t = n and s = 0, which is a contradiction. The factorization of a polynomial into a product of irreducible polynomials depends very much on the field of coefficients. For example, x 10 + 4x 7 − 3x 6 + 5x 2 + 1
Rings and Fields 121
has the following factorizations into a product of irreducible polynomials: (x + 1)(x 9 − x 8 + x 7 + 3x 6 − 6x 5 + 6x 4 − 6x 3 + 6x 2 − x + 1) in Z[x] or Q[x] (x + 1)(x 9 + 2x 8 + x 7 + 2x + 1) in Z3 [x] (x + 1)(x + 3)(x 8 + x 7 + 3x 6 + 4x 5 + 2x 4 + 4x 2 + 4x + 2) in Z5 [x] (x + 1)(x + 3)2 (x + 5)2 (x 5 + 4x 4 + 4x 3 + 2x 2 + 4x + 1) in Z7 [x] (x + 1)(x + 2)(x 3 + 5x 2 + 8x + 2)(x 4 + x 3 + 4x 2 + 2x + 7) inZ11 [x].
Exercises 2.6 1. Show that the polynomials 1 + x + x 2 , 1 + x + x 3 , 1 + x 2 + x 3 ∈ Z2 [x] are irreducible. 2. Show that the polynomials listed in Exercise 1 are the only irreducible polynomials in Z2 [x] of degrees 2 and 3. 3. Show that the following polynomials in Z3 [x] are irreducible: (i) 1 + x 2 ,
(ii) 2 + x + x 2 ,
(iii) 2 + 2x + x 2 ,
(iv) 2 + 2x 2 ,
(v) 1 + 2x + 2x 2 ,
(vi) 1 + x + 2x 2 .
4. Show that the monic polynomials listed in Exercise 3 are the only irreducible monic polynomials in Z3 [x] of degree 2. 5. Show that the following are irreducible in Z2 [x]: (i) x 4 + x + 1. (ii) x 4 + x 3 + 1. (iii) x 4 + x 3 + x 2 + x + 1. 6. Show that the number of irreducible quadratic monic polynomials in Zp [x] is 12 p(p − 1). (Hint: First find the number of reducible quadratic monic polynomials.) 7. Show that the number of irreducible cubic monic polynomials in Zp [x] is 13 p(p 2 − 1). 8. (i) Find all reducible polynomials in Z2 [x] of degree 4. (ii) Find all irreducible polynomials in Z2 [x] of degree 4. 9. Factorize the following into products of irreducible polynomials: (i) x 3 + 2x 2 + x + 1 in Z3 [x]. (ii) x 3 + x + 2 in Z5 [x]. (iii) x 3 + 3x 2 + 3 in Z7 [x].
122 Introduction to Applied Algebraic Systems
10. Factorize the following into products of irreducible polynomials: (i) x 4 + x 3 + x + 1 in Z2 [x]. (ii) x 4 + 1 in Z3 [x]. (iii) x 4 + 1 in Z5 [x]. 11. Show that if f (x) = an x n + an−1 x n−1 + · · · + a1 x + a0 ∈ F [x] is irreducible, then so also is g (x) = a0 x n + a1 x n−1 + · · · + an . 12. Let f (x) = ax 2 + bx + c ∈ R[x], a = 0. Give necessary and sufficient conditions in terms of the coefficients a, b, and c for f (x) to be irreducible over R. 13. Let f (x) ∈ F [x] be a nonconstant polynomial. Show, by induction on deg(f (x)), that f (x) can be written as a product of irreducible polynomials. 14. Let p(x), q(x), r(x) ∈ F [x]. Show that if p(x) | q(x)r(x) and (p(x), q(x)) = 1, then p(x) | r(x). 15. Show that if p(x), qi (x) ∈ F [x], p(x) is irreducible and p(x) | q1 (x) · · · qn (x), then p(x) | qi (x) for some i. 16. Use Exercises 13, 14, and 15 to complete the proof of Theorem 2.6.6. 17. Are the following polynomials reducible in Q[x]? (i) 2x 4 − 6x 3 + 9x + 15. (ii) x 5 + 10x 2 + 50x + 20. (iii) x 3 − 2x + 6. 18. Let p be a prime. (i) Show that x p − 1 = (x − 1)(x p−1 + x p−2 + · · · + x + 1). (ii) Show that x p−1 + x p−2 + · · · + x + 1 is irreducible in Z[x]. (Hint: p −1 Try substituting x = y + 1 in xx−1 .) The next two exercises develop some properties of the formal derivative f (x) of a polynomial f (x) = A0 + a1 x + a2 x 2 + · · · + an x n ∈ F [x]: f (x) = a1 + 2a2 x + 3a3 x 2 + · · · + nan x n−1 . 19. Let f (x) =
m i=0
n
ai x i , g (x) =
bj x j ∈ F [x] and a ∈ F , where F is a
j=0
field. Establish the following: (i) (ii) (iii) (iv) (v) (vi)
(af (x)) = af (x). (f (x) + g (x)) = f (x) + g (x). (f (x)x k ) = f (x)x k + kf (x)x k−1 . (f (x)g (x)) = f (x)g (x) + f (x)g (x). (n ∈ N). (g (x)n ) = ng (x)n−1 g (x) f (g (x)) = f (g (x))g (x).
Rings and Fields 123
20. Let f (x) =
n
ai x i ∈ F [x]. Show that (f (x), f (x)) = 1 if and only if
i=0
there exists an irreducible polynomial p(x) such that p(x)2 divides f (x). 21. Let F be a subfield of a field G. Let f (x), g (x) ∈ F [x] and h(x) ∈ G[x] be such that f (x) = g (x)h(x). Let f (x) =
ai x i ,
i=0
g (x) =
m
bi x i ,
h(x) =
i=0
n
ci x i .
i=0
Show that ci ∈ F for all i—that is, h(x) ∈ F [x]. 2.7 Construction of Fields
In chapter 1 we saw how, for each prime p, we could construct a field Zp from Z by using the congruence relation ≡p . We have also seen how F [x], like Z, is an integral domain and has polynomials (we called them irreducible) with properties resembling those of prime numbers. We are now going to copy within the context of F [x] what we did with Z to construct the field Zp . We are now going to perform the same kind of construction on F [x]. Throughout this section, F denotes an arbitrary field (which need not be finite). Let f (x) ∈ F [x] be a nonconstant polynomial. We can use f (x) to define a relation ≡f (x) , or simply ≡, on F [x] as follows: a(x) ≡ b(x)(mod f (x)) ⇐⇒ f (x) | a(x) − b(x). Equivalently, a(x) ≡ b(x) ⇐⇒ a(x) = b(x) + k(x)f (x) for some k(x) ∈ F [x]. Theorem 2.7.1 (i) ≡ is an equivalence relation on F [x]. (ii) a(x) ≡ c(x) and b(x) ≡ d(x) then a(x) + b(x) ≡ c(x) + d(x) and a(x)b(x) ≡ c(x)d(x). (iii) The operations + and · on the set F [x]/f (x) of ≡ classes defined by [a(x)] + [b(x)] = [a(x) + b(x)], [a(x)][b(x)] = [a(x)b(x)] are well defined. (iv) With respect to these operations, F [x]/f (x) is a commutative ring with 1.
Proof. The proof will be established in the exercises. The arguments are almost identical to those used in Theorem 1.5.3, Lemma 1.6.5, and Theorem 1.6.6, with the appropriate substitution of polynomial for integer and so on.
124 Introduction to Applied Algebraic Systems
We refer to the elements of F [x]/f (x) as the congruence classes mod f (x). Note that [0] = {k(x)f (x) | k(x) ∈ F [x]} is the zero of F [x]/f (x) and that [1] = {1 + k(x)f (x) | k(x) ∈ F [x]} is the identity of F [x]/f (x). Note that the set F = {[a] | a ∈ F } of all the elements of F [x]/f (x) of the form [a] is a field that is clearly isomorphic to F under the isomorphism a → [a]. It is customary to identify F and F by considering the elements a and [a] to be the “same”. In this way we can consider any polynomial g (x) = a0 + a1 x + · · · + am x m ∈ F [x] also as a polynomial in F [x]—namely, g (x) = [a0 ] + [a1 ]x + · · · + [am ]x m . It is easy to see that F [x]/f (x) will not always be a field. If we let f (x) = (x − 1)2 ∈ Zp [x], then x − 1 is not congruent to 0 modulo f (x) so that in Zp [x]/f (x), we have [x − 1] = [0] but [x − 1][x − 1] = [(x − 1)2 ] = [f (x)] = [0]. Thus, F [x]/f (x) is not an integral domain in this case. In chapter 1 we saw how useful it was to have a nice set of representatives of the classes modulo n—namely 0, 1, 2, . . . , n − 1. Many calculations were greatly simplified by reducing to one set of representatives. It turns out that a similar device will help us analyze F [x]/f (x). Theorem 2.7.2 Let F be a field, f (x) ∈ F [x], n = deg(f (x)) ≥ 1, and ≡ be as above. Let g (x) ∈ F [x] and g (x) = f (x)q(x) + r(x) where deg(r(x)) < deg(f (x)). (i) g (x) ≡ r(x). (ii) Every ≡ class contains a unique polynomial of degree less than n.
Rings and Fields 125
(iii) If F is finite, then |F [x]/f (x)| =| F |n . Proof. (i) Let g (x) ∈ F [x] and g (x) = q(x)f (x) + r(x) where deg(r(x)) < n. Then f (x) | g (x) − r(x) and g (x) ≡ r(x). (ii) By the division algorithm there always exist polynomials q(x), r(x) that satisfy the hypothesis of the theorem. Thus, every ≡ class contains a polynomial of degree less than n. Now suppose that g (x) ≡ h(x) where deg (h(x)) < n. Then, h(x) ≡ r(x) so that f (x) | (h(x) − r(x)) whereas deg(h(x) − r(x)) < n. This can only happen if h(x) − r(x) = 0. Therefore h(x) = r(x) and each ≡ class contains exactly one polynomial of degree less than n. (iii) Now suppose that F is finite. Every ≡-class contains a unique polynomial of degree less than n. Hence, |F [x]/f (x)| = number of ≡ classes = |{a0 + a1 x + · · · + an−1 x n−1 | ai ∈ F }| = |F |n where the last equality follows from the fact that we have |F | independent choices for each of the coefficients ai . Just as in chapter 1 where we identified Zn with {0, 1, 2, . . . , n − 1}, we can now identify F [x]/f (x) with the set {a0 + a1 x + · · · + an−1 x n−1 | ai ∈ F } of all polynomials over F of degree, at most, n − 1. Example 2.7.3 Let f (x) = x 2 + x + 1 ∈ Z2 [x]. By Theorem 2.7.2, we have Z2 [x]/(x 2 + x + 1) = {0, 1, x, 1 + x}
where the elements add and multiply as for elements of Z2 [x], except that we use the equality x 2 = x + 1 to reduce any polynomial of degree 2 or more to a linear polynomial. Thus, x(1 + x) = x + x 2 = x + x + 1 = 1
126 Introduction to Applied Algebraic Systems
for example, so that x and x + 1 are both invertible elements. Since 1 is also an invertible element, it follows that Z2 [x]/(x 2 + x + 1) is a field with 4 elements. In the same way, Z2 [x]/(x 2 + 1) = {0, 1, x, 1 + x}
but in this case (1 + x)2 = 1 + 2x + x 2 = 1 + x 2 = 1 + 1 = 0 so that Z2 [x]/(x 2 + 1) has zero divisors and is not an integral domain and therefore is not a field. The next result characterizes the circumstances in which we will obtain a field. Theorem 2.7.4 Let f (x), F , and ≡ be as above and G = F [x]/f (x). (i) G is a field if and only if f (x) is irreducible in F [x]. (ii) G contains a root of f (x)—namely, [x]. Proof. By Theorem 2.7.1, G is a commutative ring with 1. (i) Let G be a field. Suppose f (x) is reducible—say, f (x) = g (x)h(x)
where
g (x), h(x) are not constants.
Then deg(g (x)) < deg(f (x)) and deg(h(x)) < deg(f (x)) so that [g (x)] = 0 = [h(x)] but [g (x)][h(x)] = [f (x)] = [0]. Since a field has no zero divisors, this is a contradiction. Hence, f (x) is irreducible. Now suppose that f (x) is irreducible. Since we know that G is a commutative ring with identity, it only remains to show that every nonzero element in G has an inverse. Let g (x) ∈ F [x], [g (x)] = 0. Then f (x) does not divide g (x). Consequently, (f (x), g (x)) = 1 so that by Theorem 2.4.4 there exist λ(x), µ(x) ∈ F [x] with λ(x) f (x) + µ(x) g (x) = 1. Hence, µ(x)g (x) ≡ 1 or [µ(x)][g (x)] = [1] and [g (x)] has an inverse— namely, [µ(x)]. Therefore, G is a field.
Rings and Fields 127
(ii) Let f (x) = a0 + a1 x + · · · + an x n and consider the element [x] in G. Then, substituting [x] into the polynomial f (x), we obtain f ([x]) = [a0 ] + [a1 ][x] + [a2 ][x]2 + · · · + [an ][x]n = [a0 ] + [a1 x] + [a2 x 2 ] + · · · + [an x n ] = [a0 + a1 x + a2 x 2 + · · · + an x n ] = [f (x)] = [0]. Thus, [x] is a root of the polynomial f (x) in G.
Let f (x) ∈ F [x]. Then f (x) has an irreducible factor, say g (x). We have seen in Theorem 2.7.4 that there is then a field G containing F which contains a root of g (x), which will necessarily also be a root of f (x). Let us call that root a (in Theorem 2.7.4, a = [x]). By Lemma 2.5.1(i), f (x) then has a linear factor x − a. We can repeat that process to obtain a complete factorization of f (x) into a product of linear factors. Theorem 2.7.5 Let f (x) ∈ F [x]. Then there exists a field K containing F as a subfield such that f (x) factors into a product of linear factors in K [x]. Proof. We argue by induction on the degree of f (x). If the degree of f (x) is one, then f (x) is a linear polynomial and the claim holds. So suppose that the degree of f (x) is n and that the claim holds for all fields and for all polynomials of degree less than n. First assume that f (x) is irreducible. By Theorem 2.7.4(i), there exists a field G containing F as a subfield and containing a root, a say, of f (x). Then, by Lemma 2.5.1(i), we can factor f (x) in G[x] as f (x) = (x − a)g (x), for some polynomial g (x) in G[x]. Since the degree of g (x) is n − 1, it follows from the induction hypothesis that there exists a field K containing the field G as a subfield such that g (x), and therefore also f (x), factors into a product of linear factors in K [x]. Thus the claim holds in this case. Now let us assume that f (x) is reducible as f (x) = g (x)h(x), where both g (x) and h(x) have smaller degrees than f (x). Then, by the induction hypothesis, there exists a field G containing F such that g (x) factors into a product of linear factors in G[x]. Again by the induction hypothesis, there exists a field K containing G such that h(x) factors into linear factors in K [x]. Thus both g (x) and h(x), and therefore also f (x), factor into linear factors in K [x] and the claim holds. We are now in a position to establish the existence of fields of size p n .
128 Introduction to Applied Algebraic Systems
Theorem 2.7.6 For every prime p and every positive integer n, there exists a unique field with p n elements. n
Proof. Let f (x) = x p − x ∈ Zp [x]. By Theorem 2.7.5, there exists a field G, say, such that f (x) factors into a product of linear factors in G[x]: f (x) = (x − a1 )(x − a2 ) · · · (x − ap n ) where a1 , a2 , . . . , an ∈ G. If there existed a repeated root, then (see Exercise 2.6.20) f (x) and f (x) would have a nonconstant common factor. But f (x) = p n x p
n −1
− 1 = −1.
So that is impossible and f (x) must have p n distinct roots. By Lemma 2.2.7, these roots form a subfield of G with p n elements. This establishes the existence of a field with p n elements. The assertion that this field is “unique” simply means that any two fields with p n elements will be isomorphic. From Corollary 2.3.9, we know that any two fields of the same size are isomorphic as vector spaces and therefore have the isomorphic additive structures. From Theorem 2.10.6 (to come) we will see that they have isomorphic multiplicative structures. But the real challenge is to show that there is an isomorphism that simultaneously respects both the additive and multiplicative structure. We will see how to achieve this in Section 2.13. Finite fields are often referred to as Galois fields after the brilliant young French mathematician Évariste Galois in recognition of his pioneering work in this area. Galois died tragically in a duel at the age of 20. Since there is a unique field (to within isomorphism) of size p n for each prime p and positive integer n, we can refer to the Galois field with p n elements. We will denote it by GF(p n ). Exercises 2.7 In Exercises 1 through 3, let F be a field and f (x) ∈ F [x]. Let ≡ be the relation on F [x] defined as at the beginning of this section. 1. Show that ≡ is an equivalence relation in F [x]. 2. Show that if a(x) ≡ c(x) and b(x) ≡ d(x), then a(x) + b(x) ≡ c(x) + d(x) and a(x)b(x) ≡ c(x)d(x). 3. Show that F [x]/f (x) is a commutative ring with identity with respect to the operations [a(x)] + [b(x)] = [a(x) + b(x)], [a(x)][b(x)] = [a(x)b(x)]. 4. Find all elements in Z5 [x]/(x 2 + 1) that are idempotent—that is, such that [a(x)]2 = [a(x)].
Rings and Fields 129
5. Find all the invertible elements in Z5 [x]/(x 2 + 1). (Hint: Consider the arbitrary element [ax + b] and the cases (i) a = 0, b = 0, (ii) a = 0, b = 0, (iii) a, b = 0.) 6. Which of the following are fields? (i) Z5 [x]/(x 2 + x + 1). (ii) Z5 [x]/(x 2 + 2x + 3). (iii) Z5 [x]/(x 2 + x + 4). 7. For which of the following numbers are there fields of that size? (i) (ii) (iii) (iv) (v) (vi)
11. 22. 27. 32. 48. 121.
8. What is the characteristic of the following fields? (i) (ii) (iii) (iv)
GF(16). GF(49). GF(81). GF(625).
9. Which of the following pairs of rings/fields are isomorphic? (i) (ii) (iii) (iv) ∗ 10.
Z5 , GF(5). Z8 , GF(8). Z17 , GF(17). Z27 , GF(27).
Let F be a subfield of a field G, m(x) ∈ F [x] be an irreducible monic polynomial of degree n, and let α ∈ G be a root of m(x). (i) Show that F (α) = {a0 + a1 α + · · · + an−1 α n−1 | ai ∈ F } is a subfield of G. (Hint for finding inverses: If f (x) = a0 + a1 α + · · · + an−1 α n−1 ∈ F (α), then the greatest common divisor of a0 + a1 x + · · · an−1 x n−1 and m(x) is 1.) (ii) By taking F = Q, G = C, m(x) = x 3 − 2, show that it is possible to have F (α) = F (β) for distinct roots α, β of m(x).
11. Let F be a field. (i) Formulate a theorem for polynomials in F [x] modeled on the Chinese remainder theorem for integers. (ii) Prove the theorem from part (i).
130 Introduction to Applied Algebraic Systems
2.8 Extension Fields
If F is a subfield of a field G then we also say that G is an extension field of F . In the previous section we saw one method of constructing extension fields by means of the construction F [x]/f (x). We will now consider some examples, focusing in particular on extensions of Zp . In any discussions involving polynomials to date, we have used the variable x. Returning to our original definition of a polynomial (as an infinite sequence with only a finite number of nonzero terms) we saw that the “variable” x really stands for the sequence (0, 1, 0, 0, 0, . . .). Clearly, any symbol other than x—for example, u, v, w, y, or z—would serve our purpose equally well. To avoid confusion as we begin to construct new fields and then consider polynomials over these new fields, we will adopt other variables such as u, v, w, y, z as the primary variable to be used in the construction process and will refer to whichever variable is used as the construction variable. As a first illustration we begin with a familiar example using an unfamiliar variable. Let us work with the variable i. Then the polynomial i 2 + 1 ∈ R[i]. Since the square of any real number is either positive or zero, it is clear that there is no real number i with i 2 = −1. Thus, i 2 + 1 is irreducible over the field R. We can therefore construct the field R[i]/(i 2 + 1). As mentioned in the previous section, we may identify the elements of this field with the polynomials in i of, degree less than 2, which is the degree of i 2 + 1. Thus, R[i]/(i 2 + 1) = {a + bi|a, b ∈ R}.
In this field, i 2 = −1 so that i is a root of x 2 + 1. Of course, what we have done is simply to reconstruct the complex numbers using the theory of the previous section. Example 2.8.1 Suppose we wish to construct a field with 9 = 32 elements. Then we are looking for a field with a finite characteristic that must be 3. If we start with Z3 and can find an irreducible polynomial f (y) ∈ Z3 [y] of degree 2, then F = Z3 [y]/f (y) will have 32 = 9 elements. From section 2.6, we know that f (y) = 1+y 2 is an irreducible polynomial in Z3 [y]. By Theorem 2.7.2 and the remarks following it, we can identify the elements of F with the polynomials in y of degree less than 2: F = {0, 1, 2, y, 1 + y, 2 + y, 2y, 1 + 2y, 2 + 2y}. Of course, just listing the elements of F does not tell us anything until we describe the addition and multiplication. Addition is almost trivial. We add
Rings and Fields 131
the elements as polynomials and then reduce the coefficients modulo 3: 1 + (2 + y) = 3 + y = 0 + y = y (2 + y) + (1 + 2y) = 3 + 3y = 0 (1 + y) + (1 + 2y) = 2 + 3y = 2 and so forth. To compute products in F we need to note that the zero in F = Z3 [y]/f (y) is the class [0] = [f (y)]. In other words, in F , 1 + y2 = 0 so that y 2 = −1 or, equivalently, y 2 = 2. Thus, to compute products we simply combine the elements as polynomials and then replace every occurrence of y 2 by 2: (1 + y)(1 + 2y) = 1 + 3y + 2y 2 = 1 + 2y 2 = 1 + 2 · 2 = 5 = 2 y(2 + 2y) = 2y + 2y 2 = 2y + 2 · 2 = 4 + 2y = 1 + 2y. A complete list of all products in F can be given in a table like the following, in which we have left the completion of the table as an exercise. MULTIPLICATION TABLE FOR GF(9)
0 1 2 y 1+y 2+y 2y 1 + 2y 2 + 2y
0 0 0 0 0 0 0 0 0 0
1 0 1 2 y 1+y 2+y 2y 1 + 2y 2 + 2y
2 0 2 1 2y 2 + 2y 1 + 2y y 2+y 1+y
y 0 y 2y
1+y 0 1+y 2 + 2y
4
1 + 2y
2+y 0 2+y 1 + 2y
2y 0 2y y
1 + 2y 0 1 + 2y 2+y
2 + 2y 0 2 + 2y 1+y
132 Introduction to Applied Algebraic Systems
Remark 2.8.2 (i) Since |F | = 9, we can write F = GF(9). (ii) The constants 0, 1, and 2 constitute a subfield of F isomorphic to Z3 . Thus, F is an “extension” of Z3 . (iii) We have seen that the polynomial f (x) = 1 + x 2 has no root in Z3 . However, it does have a root in GF(9) since, if we substitute the element y in GF(9) for x, then we obtain zero: f (y) = 1 + y 2 = 0. (iv) We have also seen that the polynomial g (x) = 1 + x 2 is irreducible over Z3 . This is no longer the case if we consider g (x) as a polynomial over GF(9) since (x + y)(x − y) = x 2 − y 2 = x 2 − 2 = x 2 + 1. Thus, by extending the field over which we are working we can find new roots and factorizations. The idea of a polynomial having no root in one field yet having a root in a larger field is a familiar one. For example, the polynomial x 2 − 2 has no root irreducible in the√field Q of rational numbers and is √ √in Q[x], but does have a root 2 ∈ R and factors in R[x] as (x − 2)(x + 2). Example 2.8.3 We have choices in how we construct GF(p n ). For example, x 2 + 1, x 2 + x + 2, x 2 + 2x + 2 are all irreducible over Z3 . Any one of these can be used to construct a copy of GF(9). In our first example we used x 2 + 1. Whichever polynomial we use, we will get a field with 9 elements. By Theorem 2.7.6, we must obtain the “same” field in each case. Let us now construct GF(9) using x 2 + x + 2. To avoid confusion between the two examples, we will use u as the construction variable in this example. The elements are then all linear polynomials a + bu
a, b ∈ Z3 .
Rings and Fields 133
Addition is as before. For multiplication we use the relation u 2 = 2u + 1: · 0 1 2 u 2u 1+u 2+u 1 + 2u 2 + 2u
0 1 0 0 0 1 0 2 0 u 0 2u 0 1+u 0 2+u 0 1 + 2u 0 2 + 2u
2 0 2
u 0 u
2u 0 2u
2u
1 + 2u
2+u
1+u 2+u 0 0 1+u 2+u
1 + 2u 0 1 + 2u
2 + 2u 0 2 + 2u
1+u
2 + 2u
2
1
This table “looks” different from the previous table since we now have u 2 = 1 + 2u whereas (using x 2 + 1) we previously had y 2 = 2. To demonstrate that Z3 [u]/(u 2 + u + 2)
and
Z3 [y]/(y 2 + 1)
are really the “same” field, we must produce an isomorphism from one to the other. It is not immediately obvious how to do this, so we will return to this question in section 2.13. Example 2.8.4 By the method of Lemma 2.6.2, we can verify that the polynomial f (y) = 1 + y + y 3 ∈ Z5 [y] is irreducible over Z5 . We can therefore use f (y) to construct the field Z5 [y]/f (y). This field has 53 = 125 elements and is therefore GF(125). Obtained in this way, the elements of GF(125) are the polynomials of the form a0 + a1 y + a2 y 2
where
a0 , a1 , a2 ∈ Z5 .
As before, addition is performed by combining coefficients as elements of Z5 . For example, (1 + 4y + 2y 2 ) + (3 + 3y + 4y 2 ) = 4 + 7y + 6y 6 = 4 + 2y + y 2 .
134 Introduction to Applied Algebraic Systems
To calculate products, we take advantage of the fact that [0] = [1 + y + y 3 ] so that y 3 = −1 − y = 4 + 4y. Hence, for example, (1 + 2y 2 )(3y + 4y 2 ) = 3y + 4y 2 + 6y 3 + 8y 4 = 3y + 4y 2 + (4 + 4y) + 3y(4 + 4y) = 3y + 4y 2 + 4 + 4y + 12y + 12y 2 = 4 + 4y + y 2 . Remark 2.8.5 (i) The constants 0, 1, 2, 3, 4 form a subfield of GF(125) isomorphic to Z5 . Thus, F is an extension of Z5 . (ii) The polynomial f (x) = 1 + x + x 3 has no root in Z5 . However, f (y) = 1 + y + y 3 = 0 in GF(125). Thus, f (x) does have a root in this extension field of Z5 . (iii) The polynomial f (x) = 1 + x + x 3 is irreducible over Z5 . However, since y is a root of f (x) as a polynomial over GF(125), f (x) must have a factor x − y. Thus we can divide f (x) by x − y: +(1 + y 2 ) x 2 +yx x − y x 3 +0.x 2 +x + 1 x 3 −yx 2 yx 2 +x yx 2 −y 2 x (1 + y 2 )x+1 (1 + y 2 )x−y(1 + y 2 ) 1 + y + y3 = 0
Thus, as polynomials over GF(125), we have x 3 + x + 1 = (x − y)(x 2 + yx + (1 + y 2 )). Example 2.8.6 Consider f (z) = z 2 + 2 ∈ Q[z]. Since z 2 + 2 has no zeros in Q (see Exercise 13 in section 2.3), it is irreducible in Q[z]. Let F = Q[z]/f (z). As before, we can identify F with the set of polynomials of degree less than 2, which is the degree of f (z): F = {a + bz | a, b ∈ Q}.
Rings and Fields 135
Addition in F is just the usual addition of polynomials. To calculate products, we note that [0] = [z 2 + 2] so that, in F , z 2 = −2. Hence, (a + bz)(c + dz) = ac + (ad + bc)z + bdz 2 = (ac − 2bd) + (ad + bc)z. Thus, z behaves just like
√
−2 and we can think of F as √ {a + b −2 | a, b ∈ Q}.
√ This field is often denoted by Q( −2). Remark 2.8.7 (i) The constants {a | a ∈ Q} form a subfield isomorphic to Q. (ii) The polynomial f (x) = x 2 + 2 has no root in Q. However, f (z) = z 2 + 2 = −2 + 2 = 0. Thus f (x) does have a root in F . (iii) The polynomial f (x) = x 2 + 2 is irreducible in Q[x]. However, in F [x] we have x 2 + 2 = (x + z)(x − z). We have seen in Theorem 2.7.5 how, for any field F and polynomial f (x) in F [x], there must exist a larger field over which f (x) factors completely into linear factors. This leads naturally to the question of the existence of fields over which every polynomial factors into linear factors. We already know one field with this property. Theorem 2.8.8 (The Fundamental Theorem of Algebra) Let f (x) ∈ C[x] be a monic polynomial and degf (x)) = n. Then there exist α1 , α2 , . . . , αn ∈ C with f (x) = (x − α1 ) (x − α2 ) · · · (x − αn ) . Proof. In order to prove this, it is necessary to have a precise description of the real numbers. It is also necessary to employ some deep analysis. See Brown and Churchill [BC], page 166. Let F be a field such that every f (x) ∈ F [x] factors into a product of linear factors over F . This is equivalent to saying that F contains a complete set of
136 Introduction to Applied Algebraic Systems
roots for f (x). Then F is said to be algebraically closed. A field K containing F as a subfield is said to be an algebraic closure of F if K is algebraically closed and every element of K is a root of some polynomial in F [x]. If K1 and K2 are both algebraic closures of F , then K1 and K2 are isomorphic. Thus we may speak of the algebraic closure of F . By Theorem 2.8.8, C is clearly the algebraic closure of R. In fact, algebraically closed fields are reasonably plentiful. Theorem 2.8.9 Every finite field F has an algebraic closure and for any two algebraic closures K1 , K2 of F there exists an isomorphism from K1 to K2 that restricts to the identity mapping on F . Proof. For a proof of this and even more general results concerning algebraic closures, see [McCa], Chapter 1. In particular, it follows from Theorem 2.8.9 that each of the fields Zp is contained in an algebraically closed field that, since it shares the same identity with Zp , will be of characteristic p and must be infinite (see the exercises). Since C is algebraically closed, every polynomial of the form x n −z(z ∈ C) has roots in C. We conclude this section with some observations concerning the roots of complex numbers. The polar representation of complex numbers is particularly helpful here in providing a simple way to present the nth roots of a complex number. Let z = r(cos θ + i sin θ ) ∈ C, and suppose that we wish to describe the roots of x n − z, that is, we wish to describe the nth roots of z. Let x = s(cos α + i sin α) be a solution. Then r (cos θ + i sin θ ) = x n = s n (cos nα + i sin nα) . Hence,
sn = r
and nα = θ + 2kπ
or
2kπ 1 θ+ . n n By taking k = 0, 1, 2, . . . , n − 1, we obtain n distinct solutions (corresponding to n points equally spaced around a circle of radius r 1/n ). But we know from the general theory that a polynomial of degree n can have at most n distinct roots. Hence, the distinct nth roots of z = r(cos θ + i sin θ) are θ + 2kπ θ + 2kπ + i sin 0 ≤ k ≤ n − 1. xi = r 1/n cos n n s n = r 1/n
and α =
Thus we have the following proposition. Proposition 2.8.10 Let α ∈ C, α = 0, and n ∈ N. Then the equation x n = α has n distinct solutions in C.
Rings and Fields 137
In particular, from Proposition 2.8.10, we see that every nonzero complex number has two distinct sqare roots, three distinct cube roots, four distinct quartic roots and so on. The roots of x n − 1 ∈ C[x] are called the nth roots of unity. For any nth root of unity α, it is evident that every power of α is also an nth root of unity. From the discussion preceding the Proposition, we know that x n − 1 has n distinct roots. If α is such that the powers 1, α, α 2 , . . . , α n−1 are all distinct, then these must be all the nth roots of unity and, when that is the case, α is called a primitive nth root of unity. We can then write
xn − 1 =
(x − α k ).
0≤k
Let α = cos
2π n
+ i sin
2π n
.
Then α is clearly a primitive nth root of unity. Moreover, for every positive integer k, we have α k = cos
2kπ n
+ i sin
2kπ n
so that α k is a primitive n root of unity if and only if k and n are relatively prime. Thus the number of primitive nth roots of unity is simply ϕ(n). The polynomial n (x) =
(x − α k )
1≤k
where the factors run over all the primitive nth roots of unity, has degree ϕ(n) and is known as the nth cyclotomic polynomial. More generally, let k be an integer with 0 ≤ k ≤ n − 1 and let d = (k, n). Then (α k )n/d = (α n )k/d = 1 Hence, α k is a root of x n/d − 1 and the powers n
1 = (α k )0 , (α k )1 (α k )2 . . . (α k ) d −1 are the dn distinct roots of x n/d − 1. In other words, α k is a primitive dn th root of unity. Thus, in the factorization of x n − 1 above, if we group together the factors involving the primitive dn th roots of unity, as we let d range over the
138 Introduction to Applied Algebraic Systems
divisors of n, then we obtain: xn − 1 =
n/d (x) =
d|n
d (x)
d|n
since, as d runs through all possible divisors of n, so also does n/d. Here are some examples: 1 (x) = x − 1 2 (x) = x + 1 4 (x) = (x − i)(x + i) = x 2 + 1. while x 4 − 1 = 1 (x) 2 (x) 4 (x) = (x − 1)(x + 1)(x 2 + 1) Note that each of 1 (x), 2 (x) and 4 (x) is a polynomial in Z[x], that is, they all have integer coefficients. This might look like just a coincidence due to the fact that the integers 1, 2, and 4 are so small. However, it turns out that this is always the case. Theorem 2.8.11 For all positive integers n, n (x) is a polynomial with integer coefficients. Proof. We argue by induction. We have already seen that the claim is valid for n = 1, so suppose that the claim holds for all m (x) for m < n. We have n (x) =
xn − 1 ! . d (x) d|n,d
A simple application of the division algorithm will now yield the desired result. By the induction assumption, each polynomial factor in the denominator has integer coefficients. Let the proper divisors of n be d1 = 1, d2 , . . . , dk . Then we can simply apply the division algorithm successively to x n − 1, (x n − 1)/ d1 (x), . . . with successive divisors equal to d1 (x), d2 (x) . . . At each step, we are dividing one monic polynomial with integer coefficients by another monic polynomial with integer coefficients and so, at each step, we must obtain a monic polynomial with integer coefficients. Therefore, after all the divisions have been completed, we are left with a monic polynomial with integer coefficients, namely n (x). The cyclotomic polynomials are also irreducible in Z[x], but a proof of this fact is beyond our reach at this point. Exercises 2.8 In Exercises 1 through 5, let GF(9) be constructed as in Example 2.8.1
Rings and Fields 139
1. Find a basis for GF(9) as a vector space over Z3 . What is the dimension of GF(9) over Z3 ? 2. Show that every element of GF(9) is a root of the polynomial x 9 − x ∈ Z3 [x]. 3. Factorize x 9 − x ∈ Z3 [x] into a product of irreducible polynomials. Determine the roots in GF(9) of each irreducible factor. 4. Factorize x 4 − 1 ∈ GF(9)[x] into a product of irreducibles (in GF(9)[x]). 5. Show that the polynomial x 3 − x + 1 is irreducible over GF(9). 6. Establish the following: (i) Z3 [y]/(1 + y 2 ) contains a root of x 2 + x + 2. (ii) Z3 [y]/(2 + y + y 2 ) contains a root of x 2 + 1. 7. What are the dimensions of the following vector spaces? (i) GF(64) over GF(4). (ii) GF(81) over Z3 . 8. Construct GF(4). (Describe the elements and describe the operations of addition and multiplication.) 9. Construct GF(8). (Describe the elements and describe the operations of addition and multiplication.) 10. Use the irreducible polynomial 1 + x + x 4 ∈ Z2 [x] to construct GF(16). (Describe the elements and describe the operations of addition and multiplication.) 11. Construct GF(27). (Describe the elements and the operations of addition and multiplication.) 12. Show that an algebraically closed field must be infinite. ∗ 13.
Does Z8 contain a subring isomorphic to GF(4)?
14. A subring I of a ring R is called an ideal if it satisfies the additional condition a ∈ I , x ∈ R =⇒ ax, xa ∈ I . For an ideal I of a ring R, define a relation ≡ on R by a ≡ b ⇐⇒ a − b ∈ I . Establish the following: (i) ≡ is an equivalence relation on R. (ii) If a ≡ b and c ≡ d, then a + c ≡ b + d and ac ≡ bd.
140 Introduction to Applied Algebraic Systems
Now let the set of ≡ classes be denoted by R/I and show (iii) R/I is a ring.
2.9 Multiplicative Structure of Finite Fields
From the examples of the previous section, we have seen how to calculate products in any finite field (provided that we know the base field and the irreducible polynomial used to construct the finite field). We will see that, viewed from the correct perspective, the multiplicative structure of a finite field is extremely simple. We must first develop some preliminary ideas. Lemma 2.9.1 Let p be a prime number, n ∈ N, and let α ∈ GF(p n ). (i) If α = 0, then α p −1 = 1. n (ii) α is a root of x p − x. n
Proof. The technique used here is the same as we used in Euler’s Theorem. (i) Let the distinct nonzero elements of GF(p n ) be a1 , a2 , . . . , ap n −1 . By the cancellation law (since α = 0), we find that the elements αa1 , αa2 , . . . , αap n −1 are all distinct and nonzero. However, there are only p n − 1 nonzero elements in GF(p n ). Hence, {a1 , a2 , . . . , ap n −1 } = {αa1 , αa2 , . . . , αap n −1 } so that a1 a2 · · · ap n −1 = (αa1 )(αa2 ) · · · (αap n −1 ) = a1 a2 · · · ap n −1 α p
n −1
.
Multiplying by (a1 a2 · · · ap n −1 )−1 we find that αp
n −1
=1
as required. n n (ii) If α = 0, then α p −1 = 1 by part (i). Hence α p = α. If α = 0, then n n trivially α p = α. Thus, in all cases, α is a root of x p − x. Let α ∈ GF(p n )∗ . Then we see from Lemma 2.9.1 that there exists t ∈ N with α t = 1—namely, t = p n − 1. Hence we can define the order of α, written ord (α), to be the smallest positive integer t such that α t = 1. Some basic properties of ord (α) are provided next.
Rings and Fields 141
Lemma 2.9.2 Let α ∈ GF(p n )∗ have order t . (i) 1, α, α 2 , . . . , α t −1 are distinct. (ii) α m = 1 if and only if t | m. (iii) t | p n − 1. Proof. (i) Let 0 ≤ i ≤ j < t . Then α i = α j ⇒ α j−i = 1 where 0 ≤ j − i < t ⇒j −i =0 ⇒ i = j. (ii) Let α m = 1 and m = tq + r where 0 ≤ r < t . Then 1 = α m = α tq+r = (α t )q α r = 1 · α r = α r . However, t is the smallest positive integer with α t = 1. Hence, r = 0 and t | m. Conversely, if m = tq (q ∈ N), then α m = (α t )q = 1q = 1. (iii) By Lemma 2.9.1, α p t | p n − 1.
n −1
= 1. By part (ii), this implies that
Let F be a finite field. An element α ∈ F ∗ is a generator of F ∗ or a primitive element of F if F ∗ = {α i | i ≥ 0}. In Z2 , it is clear that 1 is primitive. In Z3 , 12 = 1, 21 = 2, 22 = 4 = 1 so that 2 is primitive and 1 is not primitive. In Z7 , 21 = 2, 22 = 4, 23 = 8 = 1 31 = 3, 32 = 9 = 2, 33 = 6, 34 = 18 = 4 35 = 12 = 5, 36 = 15 = 1 so that 2 is not a primitive element in Z7 , but 3 is.
142 Introduction to Applied Algebraic Systems
Example 2.9.3 Consider GF(9) as constructed in Example 2.8.1. The most obvious element to test first is y (the construction variable). However, y 1 = y, y 2 = −1, y 3 = −y, y 4 = 1 so that y is not primitive. On the other hand, (1 + y)1 = 1 + y
(1 + y)5 = 2 + 2y
(1 + y)2 = 2y
(1 + y)6 = y
(1 + y)3 = 1 + 2y
(1 + y)7 = 2 + y
(1 + y)4 = 2
(1 + y)8 = 1.
Thus, 1 + y is a primitive element. Note that 1 + 2y, 2 + 2y, and 2 + y are also primitive elements in this example, so that primitive elements are not, in general, unique. In Example 2.8.1 we used the irreducible polynomial 1 + y 2 to construct a copy of GF(9). In section 2.6, we saw that 2 + u + u 2 = 2(1 + 2u + 2u 2 ) is also an irreducible polynomial of degree 2 over Z3 , and in Example 2.8.3 we used g (u) = 2 + u + u 2 to construct another copy of GF(9). When we change the polynomial used to construct a field in this way, the role of the construction variable may also change. In the previous example, we saw that y is not a primitive element in Z3 [y]/(1 + y 2 ). In Z3 [u]/(2 + u + u 2 ), the construction variable u is a primitive element (see the exercises). Exercises 2.9 1. For each of the following fields, determine the order of each nonzero element and also which elements are primitive: (i) Z7 . (ii) Z13 . 2. Find the multiplicative order of each element in GF(9)∗ and identify the primitive elements. (Use the construction of GF(9) in Example 2.8.3.) 3. (i) Show that the order of each element of GF(2n )∗ , n ≥ 1, is odd. (ii) Show that the order of each nonidentity element of GF(257)∗ is even. 4. (i) Show that every nonidentity element of GF(2n )∗ is primitive for n = 2, 3, 5, 7. (ii) Show that GF(24 ) contains nonidentity elements that are not primitive. 5. Let F and G be finite fields and ϕ : F → G be an isomorphism. Let a ∈ F ∗ . Show that ord (a) = ord (ϕ(a)).
Rings and Fields 143
2.10 Primitive Elements
Let us focus a little more closely on the existence and properties of primitive elements. Lemma 2.10.1 Let α ∈ GF(p n ). (i) α is primitive if and only if ord (α) = p n − 1. (ii) If α is primitive then GF(p n )∗ = {1, α, α 2 , . . . , α p
n −2
}.
Proof. (i) First assume that α is primitive. Note that the powers of α start repeating at p n − 1 since αp
n −1
= 1,
n
α p = α,
αp
n +1
= α2, . . . .
Therefore, if {α i | i ≥ 0} contains p n − 1 distinct elements, then they must be n 1, α, α 2 , . . . , α p −2 . Hence, ord (α) ≥ p n − 1 whereas, by Lemma 2.9.2, ord (α) divides p n − 1. Hence, ord (α) = p n − 1. Conversely, suppose that ord (α) = p n − 1. Then, by Lemma 2.9.2, the elements 1, α, α 2 , . . . , α p
n −2
are distinct. However, GF(p n ) only has p n − 1 nonzero elements. Therefore, these are all the nonzero elements. Hence, α is primitive. (ii) This follows immediately from the proof of (i). This result and those of the previous section simplify the task of finding the order of nonzero elements and of finding primitive elements. By Lemma 2.10.1, we are looking for elements of order p n −1 and, by Lemma 2.9.2, the order of any element α divides p n − 1. In other words, α is primitive if and only if α m = 1 for all integers m | p n − 1 with m < p n − 1. Example 2.10.2 |GF(8)∗ | = 7. Therefore, the order t of any α ∈ GF(8)∗ divides 7 so that t = 1 or 7. Hence, if α ∈ GF(8) and α = 0, 1, then α is primitive. Example 2.10.3 If GF(9) = Z3 [u]/(u 2 + u +2), then the order of any nonzero element divides 8. Since u 2 = 2u + 1 and u 4 = 2, it follows that u has order 8 and, therefore, that u is primitive.
144 Introduction to Applied Algebraic Systems
In the next two results, by way of preparation for the main theorem, we describe how to determine the order of certain combinations of elements. Lemma 2.10.4 Let F be a finite field, α ∈ F ∗ , t = ord (α), and m ∈ N. (i) If m | t , then ord (α m ) = t /m. (ii) If (t , m) = 1, then ord (α m ) = t . Proof. Let k = ord (α m ). (i) Since (α m )t /m = α t = 1
(2.6)
α mk = (α m )k = 1
(2.7)
and
it follows from Lemma 2.9.2 (ii) that (2.6) implies that k divides t /m
(2.8)
t | mk.
(2.9)
and from (2.7) that
From (2.9) we have that t /m divides k. Combined with (2.8) this shows that k = t /m. (ii) Again, from (2.7) we have that t | mk. However, (t , m) = 1 so that we must have t | k. On the other hand, (α m )t = (α t )m = 1m = 1 so that, by Lemma 2.9.2 (ii), k | t . Hence, k = t .
Lemma 2.10.5 Let F be a finite field, α, β ∈ F ∗ , s = ord (α), t = ord (β), and (s, t ) = 1. Then ord (αβ) = st . Proof. Let m = ord (αβ). Then (αβ)st = (α s )t (β t )s = 1 · 1 = 1. Therefore, m | st . Let us say m = s t where s | s and t | t . Also,
1 = (1)t /t = ((αβ)m )t /t
= (αβ)s t = α s t (β t )s
= αs t
Rings and Fields 145
so that, by Lemma 2.9.2 (ii), s | s t , but (s, t ) = 1. Therefore, s | s and it follows that s = s. Similarly, t = t and we have m = s t = st . We are now ready for the main result concerning the existence of primitive elements. Theorem 2.10.6 For all primes p and all n ∈ N, there is a primitive element in GF(p n ). Proof. By Lemma 2.9.2, we know that the order of every nonzero element divides p n − 1. Let t be the largest order of any element of GF(p n )∗ and let α be one of the elements with order t . If t = p n − 1, then by Lemma 2.9.2, α is a primitive element. So suppose that t < p n − 1. The polynomial x t − 1 has, at most, t roots. Since GF(p n )∗ has p n − 1 elements, it follows that there exists an element β ∈ GF(p n )∗ that is not a root of x t − 1. This means that m = ord (β) does not divide t . Consequently, there exists a prime number q and an integer d ∈ N such that q d | m but q d | t . Let e, 0 ≤ e < d, be the largest power of q that divides t and let α = αq . e
Then, by Lemma 2.10.4 (i), ord (α ) = (ord α)/q e = t /q e . We also have gcd(t /q e , q) = 1. Now let β = β m/q . d
By Lemma 2.10.4 (i), ord (β ) = m/(m/q d ) = q d .
146 Introduction to Applied Algebraic Systems
Therefore, (ord (α ), ord (β )) = (t /q e , q d ) = 1 so that, by Lemma 2.10.5, ord (α β ) = (t /q e )q d = t · q d−e >t which contradicts the choice of t . Hence, t = p n − 1, as required.
The existence of primitive elements in finite fields means that we have two ways of representing the elements of any finite field of the form G = F [x]/p(x), where p(x) is an irreducible polynomial of degree n. The first is as polynomials in F [x] of degree, at most, n − 1. Each such polynomial is completely determined by the n-tuple of its coefficients: a0 + a1 x + · · · + an−1 x n−1 ⇐⇒ (a0 a1 a2 · · · an−1 ). In addition, if α is a primitive element in G, then every nonzero element is a power of α. If we know every element of G in both forms, then we can use the vector form when adding elements, and the power form when multiplying elements. Example 2.10.7 Let GF(9) = Z3 [y]/(y 2 + 1). We have seen that α = 1 + y is a primitive element in F . So we have α = 1 + y ↔ (11) α 2 = 1 + 2y + y 2 = 2y ↔ (02) α 3 = 1 + y 3 = 1 + 2y ↔ (12) α 4 = (2y)2 = y 2 = 2 ↔ (20) α 5 = α 4 α = 2 + 2y ↔ (22) α 6 = α 4 α 2 = 4y = y ↔ (01) α 7 = α 4 α 3 = 2(1 + 2y) = 2 + y ↔ (21) α 8 = (α 4 )2 = 1 ↔ (10).
Rings and Fields 147
In summary, the elements of GF(9) and the orders of the nonzero elements are as follows: Element
α8
Order
0
0
(00)
1
1
(10)
1
α
1+y
(11)
8
α2
2y
(02)
4
α3
1 + 2y
(12)
8
α4
2
(20)
2
α5
2 + 2y
(22)
8
α6
y
(01)
4
α7
2+y
(21)
8
To illustrate the use of this “double bookkeeping,” we have (using y = α 6 , = 1) (1 + y 3 )(y + y 4 )5 = (1 + α 18 )(α 6 + α 24 )5 = (1 + α 2 )(α 6 + 1)5 = ((10) + (02))((01) + (10))5 = (12)(11)5 = α3α5 = α8 = 1.
Example 2.10.8 If GF(16) = Z2 [y]/(y 4 + y + 1), then α = y is a primitive element and we have the following: 0
0
α
y
α2
y2
α3
y3
α4
1+y
α5
y
+ y2
α6
y2
+ y3
α7
1+y
+ y3
(0000)
α8
1 + y2
(1010)
(0100)
α9
+ y3
(0101)
(0010)
α 10
(0001)
α 11
(1100)
α 12
(0110)
α 13
(0011)
α 14
1 + y3
(1001)
(1101)
α 15
1
(1000)
y
1+y
+ y2
(1110)
+ y2
+ y3
(0111)
y
1+y
+ y2
1 + y2
+ y3
+ y3
(1111) (1011)
148 Introduction to Applied Algebraic Systems
Exercises 2.10 1. With GF(9) as described in Example 2.10.7, show that ((2 + y)5 + (1 + 2y)4 )6 = 2 . 2. With GF(16) as described in Example 2.10.8, simplify ((1 + y)4 + (y + y 2 )5 )6 . 3. Let α be a primitive element in GF(p n ) and m ∈ N. Let d = (p n − 1, m). Show that ord (α m ) = (p n − 1)/d. 4. Let α be a primitive element in GF(p n ) and m ∈ N. (i) Show that α m is primitive if and only if (m, p n − 1) = 1. (ii) Show that the number of primitive elements in GF(p n ) is ϕ(p n − 1). 5. Find the number of primitive elements in each of the following: (i) (ii) (iii) (iv) (v)
GF(8). GF(9). GF(25). GF(32). GF(81).
6. Find all the primitive elements in GF(16) = Z2 [y]/(y 4 + y + 1). 7. (i) Show that there exists an element in GF(p n )∗ of every possible order. (ii) Find elements of each possible order in GF(9)∗ (as described in Example 2.10.7). ∗ 8.
(i) Let m ∈ N and a ∈ Z∗m . Show that there exist (a, m) distinct solutions to the equation ax = 0 in Zm . (ii) Let p be prime, a ∈ Z∗p , and a = α s = 1 where α is a primitive root of Zp . Show that the number of distinct solutions mod (p − 1) to a x ≡ 1 mod p is (s, p − 1).
2.11 Subfield Structure of Finite Fields
We have seen in section 2.2 how every field of characteristic p will contain a subfield isomorphic to Zp . We shall now see how to identify all the subfields of any finite field GF(p n ). We will achieve this by a careful examination of n the factorization of the polynomial x p − x. For this we take advantage of the following standard piece of algebra: For every positive integer k, a k − 1 = (a − 1)(a k−1 + a k−2 + · · · + a + 1). This is equally valid whether a is an integer, a field element, or a variable.
Rings and Fields 149
Lemma 2.11.1 Let p be a prime number and m, n ∈ N be such that m | n. (i) p m − 1 divides p n − 1. m n (ii) x p −1 − 1 divides x p −1 − 1. Proof. (i) Let k ∈ N be such that n = mk. We have p n − 1 = p mk − 1 = (p m )k − 1 = (p m − 1)((p m )k−1 + (p m )k−2 + · · · + p m + 1). (ii) From part (i) we know that there exists t ∈ N with p n −1 = (p m −1)t . Then, xp
n −1
− 1 = (x (p = (x p
m −1)
m −1
and we have established (ii).
)t − 1
− 1)(x (p
m −1)(t −1)
+ · · · + xp
m −1
+ 1)
We are now ready to characterize all the subfields of G = GF(p n ). Theorem 2.11.2 Let p be a prime number and n ∈ N. Then, G = GF(p n ) contains a subfield with k elements if and only if k = p m where m | n. Moreover, if there exists a subfield F with p m elements (where m | n), then m
F = {α ∈ GF(p n ) | α is a root of x p − x} and so it is unique. Proof. If GF(p m ) is a subfield of GF(p n ), then we know from Corollary 2.3.8 that m | n. Now suppose that m | n and let m
F = {α ∈ GF(p n ) | α is a root of x p − x}. First we show that F is a subfield of GF(p n ). Clearly, 0, 1 ∈ F . Let a, b ∈ F , then, by Lemma 2.2.7, m
m
m
(a ± b)p = a p ± b p = a ± b and m
m
m
(ab)p = (a p )(b p ) = ab
150 Introduction to Applied Algebraic Systems
and, for a ∈ F , a = 0, we have (a −1 )p = (a p )−1 = a −1 . m
m
Thus, F is a subfield of GF(p n ). Next, we wish to determine the size of F . n By Lemma 2.9.1, we know that every element of GF(p n ) is a root of x p −x. n p n n In other words, the polynomial x − x has p distinct roots in GF(p ). Now n
x p − x = x(x p
n −1
− 1)
where x has just one root—namely, 0. Consequently, x p −1 − 1 has p n − 1 distinct roots in GF(p n )—namely, all the nonzero elements. Since m | n, by Lemma 2.11.1, there exists a polynomial g (x) with n
xp
n −1
− 1 = (x p
m −1
− 1)g (x).
Since x p −1 − 1 has p n − 1 roots in GF(p n ), the polynomial x p −1 − 1 must m have p m − 1 distinct roots. Hence, x p − x will have p m roots in GF(p n ). Thus, m m |F | = p so that F = GF(p ) as required. Now let K be a subfield of G with p m elements and let F be as in the statement of the theorem. By Lemma 2.9.1, every element of K is a root of the polynomial n
m
m
xp − x and therefore belongs to F . Thus, K ⊆ F and, since |F | = p m = |K |, we must have K = F . Thus, F is the unique subfield of G with p m elements. For small values of n it is possible to illustrate the containment relation between subfields of GF(p n ). For example, if n = 18 then the divisors of 18 are 1, 2, 3, 6, 9, 18, so that we have the following arrangement of subfields:
GF(p 9 )
GF(p 3 )
18 q Q GF(p ) Q Q Q QQq q .... ...........
.. ........... ........... ........... . . . . . . . . . . .. ........... ........... ........... ........... . . . . . . . . . . .......... ........... ...........
q QQ Q
q
Q
Qq GF(p)
Q
GF(p 6 )
GF(p 2 )
Rings and Fields 151
In the next lemma, we provide an alternative way to identify a subfield of a specific size in GF(p n ). Lemma 2.11.3 Let m, n ∈ N, m | n, p be a prime, and α be a primitive element p n −1 in GF(p n ). Let β = α q where q = p m −1 . Then, G = {β k |1 ≤ k ≤ p m − 1} ∪ {0} is a subfield of GF(p n ) with p m elements. Proof. Since α is a primitive element, it follows that the elements α, α 2 , n α 3 , . . . , α p −1 = 1 are all distinct and therefore the elements β, β 2 , m 3 p β , . . . , β −1 are also distinct. Thus, G contains p m distinct elements. Howm n ever, since β p −1 = α p −1 = 1, we see that all the elements of G are roots of m p the polynomial x − x, which implies that G is just the field constructed in Theorem 2.11.2. Exercises 2.11 1. Let m, n ∈ N and m | n. Let F and G be subfields of GF(p n ) with |F | = |G| = p m . Show that F = G. 2. By Theorem 2.11.2, GF(16) contains a subfield with four elements. (i) Describe GF(16) with the help of the irreducible polynomial x 4 + x + 1 ∈ Z2 [x]. (ii) Find the subfield of GF(16), as constructed in (i), with four elements. 3. Draw a diagram representing the mutual containments of the subfields of GF(p 24 ) along the lines of the diagram in section 2.11. 4. Let F = Z2 [z]/(z 2 + z + 1), f (y) = y 2 + y + z ∈ F [y], and G = F [y]/f (y). Show that f (y) is irreducible in F [y] and find the subfield of G that is isomorphic to GF(4). 5. Let n ∈ N. Show that there exists a nonconstant polynomial f (x) ∈ Zp [x] that has no root in GF(p n ). 6. Let F = GF(p n ) and q = p n . Let F = {a1 , a2 , . . . , aq }. For each t ∈ F , t = 0, let At be the q × q matrix with (i, j)th entry tai + aj
(1 ≤ i, j ≤ q).
(i) Show that At is a Latin Square for all t ∈ F ∗ . (ii) Show that, for t = u, At and Au are orthogonal (see Exercise 16 in section 1.7).
152 Introduction to Applied Algebraic Systems
2.12 Minimal Polynomials
Let F = GF(p n ) be a finite field of characteristic p and α ∈ F ∗ . From n Lemma 2.9.1 (i), we know that α is a root of the monic polynomial x p −1 −1 ∈ Zp [x]. More generally, if F is a subfield of a field G and α ∈ G is such that f (α) = 0 for some f (x) ∈ F [x], then we say that α is algebraic over F .√By the preceding remark, every element of GF(p n ) is algebraic over Zp . Also 2, as a root of x 2 − 2, is algebraic over Q. If α ∈ G is algebraic over F and m(x) ∈ F [x] is a monic polynomial of the smallest possible degree for which α is a root (m(α) = 0), then we will call m(x) a minimal polynomial for α (with respect to F ). If we wish to emphasize that m(x) is a minimal polynomial for the element α, then we write mα (x). Note that since mα (x) is a monic polynomial and mα (α) = 0, we must have deg(mα (x)) ≥ 1. Theorem 2.12.1 Let F be a subfield of G, α ∈ G, m(x) ∈ F [x] be a minimal polynomial for α over F and f (x) ∈ F [x]. (i) (ii) (iii) (iv)
f (α) = 0 =⇒ m(x) | f (x). n F = Zp , G = GF(p n ) =⇒ m(x) | x p −1 − 1. m(x) is irreducible. m(x) is unique.
Proof. (i) By the division algorithm, there exist polynomials q(x), r(x) with f (x) = q(x)m(x) + r(x)
where deg(r(x)) < deg(m(x)).
Then, 0 = f (α) = q(α)m(α) + r(α) = q(α) · 0 + r(α) = r(α). Since deg(r(x)) < deg(m(x)) we must have r(x) = 0. Thus, m(x) | f (x) . (ii) The second claim follows from part (i) and Lemma 2.9.1 (i). (iii) Suppose that m(x) = g (x)h(x) for some nonconstant polynomials g (x), h(x) ∈ F [x]. Then, 0 = m(α) = g (α)h(α) so that either g (α) = 0 or h(α) = 0. If g (α) = 0, then m(x) | g (x) and deg(g (x)) = m(x). Likewise, if h(α) = 0, then deg(h(x)) = m(x). Thus, m(x) is irreducible. (iv) Let g (x) also be a minimal polynomial for α. Then g (α) = 0 and, by (i), m(x) | g (x). Switching the roles of m(x) and g (x) we also have g (x) | m(x). Since both are monic polynomials, it follows that m(x) = g (x) and (iv) holds.
Rings and Fields 153
In light of Theorem 2.12.1, we can now refer to m(x) as the minimal polynomial for α over F . Some minimal polynomials are pretty obvious. For example, if α ∈ Zp , then the minimal polynomial for α is simply x − α: m0 (x) = x, m1 (x) = x − 1, . . . , mp−1 (x) = x − p + 1. Indeed, for any field G, the minimal polynomial for α ∈ G over G is just x − α. The next lemma, although not very methodical, can be quite helpful in finding minimal polynomials. Lemma 2.12.2 Let F be a subfield of the field G, α ∈ G, and g (x) ∈ F [x] be monic and irreducible. If α is a root of g (x), then mα (x) = g (x). Proof. Since g (α) = 0, it follows from Theorem 2.12.1, that mα (x) divides g (x). Since g (x) is irreducible, we must have deg (mα (x)) = deg (g (x)) and, since both are monic, we must have g (x) = mα (x). Lemma 2.12.2 is quite useful when dealing with simple situations since it means that if you know, by whatever means, an irreducible monic polynomial g (x) for which α is a root, then you have found the minimal polynomial. √ For example, we know that x 2 − 2 ∈ Q[x] is monic, irreducible, and has 2 as a root. Hence, m√2 (x) = x 2 − 2 over Q. √ √ Example 2.12.3 Find the minimal polynomial for α = 2 + 3 ∈ R over Q. One approach for such numbers that can be quite simple is to compute some simple expressions for α and determine whether some combination will eliminate the square roots. We have √ α 2 = 5 + 2 6, (α 2 − 5)2 = 24 so that α is a root of (x 2 − 5)2 − 24, or x 4 − 10x 2 + 1. Using Proposition 2.6.7, it is not too hard to see that this polynomial is irreducible over Q. Hence, mα (x) = x 4 − 10x 2 + 1 over Q. Unfortunately, this method is a bit haphazard. Example 2.12.4 A more methodical method that works over an arbitrary field of arbitrary characteristic is to test arbitrary monic polynomials of degree 1, 2, 3, and so on, using linear algebra to solve for the coefficients. So, for the same α as in the previous example, we might first test a general monic linear polynomial a0 + x. Substituting α, we obtain √ √ √ √ a0 + ( 2 + 3) = a0 + 2 + 3.
154 Introduction to Applied Algebraic Systems
√ √ Now we take advantage of the fact that 1, 2, 3 are independent vectors in the vector space R over Q (a fact that can be verified easily). Thus, the previous expression reduces to zero if and only if we have a0 = 1 = 1 = 0. Thus, α is not a root of any linear polynomial—a fact that must have been obvious from the beginning (since otherwise we could have solved to find α ∈ Q), but checking it formally illustrates the method. We now repeat the checking process with arbitrary polynomials of degree 2 and 3 with similarly negative results. Now consider an arbitrary monic polynomial of degree 4: a0 + a1 x + a2 x 2 + a3 x 3 + x 4 . If we substitute α into and equate the coefficients of the inde√ √ polynomial √ this pendent vectors 1, 2, 3, 6 to zero, then we obtain the following system of linear equations in the variables a0 , . . . , a3 : a0 + 0a1 + 5a2 + 0a3 + 49 = 0 0a0 + a1 + 0a2 + 11a3 + 0 = 0 0a0 + a1 + 0a2 + 9a3 + 0 = 0 0a0 + 0a1 + 2a2 + 0a3 + 20 = 0. Solving this system of linear equations, we obtain a0 = 1 a1 = a3 = 0 a2 = −10. Thus, we obtain the polynomial x 4 − 10x 2 + 1 exactly as before. Because there was no polynomial of lesser degree with α as a root, we know immediately that this is the minimal polynomial for α. The next three lemmas exhibit some fascinating and theoretically important information regarding the manner in which the roots of a minimal polynomial over a finite field are related. Lemma 2.12.5 Let F be a finite field of characteristic p and α ∈ F ∗. Let α be a root of f (x) ∈ Zp [x]. Then α p is also a root of f (x). Proof. Let f (x) = a0 + a1 x + · · · + am x m p
By Fermat’s Theorem, ai = ai . Hence, f (α p ) = a0 + a1 α p + · · · + am (α p )m p
= a0 + (a1 α)p + · · · + (am α m )p
(ai ∈ Zp ).
Rings and Fields 155
= (a0 + a1 α + · · · + am α m )p
by Lemma 2.2.7
p
=0 =0 and α p is a root of f (x).
In particular, Lemma 2.12.5 tells us that since α is a root of mα (x), so also 2 3 is α p and, therefore, (α p )p = α p = α p as well, and so forth. n Let α ∈ GF(p n )∗ . By Lemma 2.9.1 (ii) we know that α p = α. Let k be the k 2 k−1 smallest positive integer such that α p = α. Then α, α p , α p , . . . , α p are all distinct (see the exercises) and we call them the conjugates (or conjugate roots) of α and write " k−1 # . C(α) = α, α p , . . . , α p Lemma 2.12.6 For all i ∈ N, i
C(α) = C(α p ). Proof. Since (α p
k−1
k
)p = α p = α, it is clear that
# " " t 2 k−1 # . C(α) = α p | t ∈ N = α, α p , α p , . . . , α p Therefore, " i # i i+1 C(α p ) = α p , α p , . . . ⊆ C(α) so that there must be an integer j with 0 ≤ j ≤ k − 1 such that i
j
αp = αp . Then, $
αp
i
%p k−j
j
= (α p )p
k−j
k
= αp = α
i
from which it follows that α ∈ C(α p ). Therefore, $ i% C(α) ⊆ C α p and equality prevails.
One immediate consequence of Lemma 2.12.6 is that “being a conjugate of ” is a symmetric relation: If β is a conjugate of α, then α is a conjugate of β. Thus, we can speak of α and β as “being conjugates”.
156 Introduction to Applied Algebraic Systems
Lemma 2.12.7 Let α ∈ GF(p n ) and C(α) be as above and m(x) be the minimal polynomial for α over Zp . Then (x − α)(x − α p ) · · · (x − α p
k−1
) | mα (x)
as polynomials in GF(p n )[x]. Proof. This follows immediately from Lemma 2.12.5 and the remarks preceding Lemma 2.12.6. Lemma 2.12.7 states that the polynomial c(x) =
(x − β) = (x − α)(x − α p ) · · · (x − α p
k−1
)
β∈C(α)
divides mα (x) in GF(p n )[x]. This tells us something about mα (x), but it is a little unsatisfactory since mα (x) ∈ Zp [x], but we have no information so far concerning the coefficients of this polynomial c(x). However, we are now in a position to describe mα (x). Theorem 2.12.8 Let α ∈ GF(p n )∗ and mα (x) be the minimal polynomial for α over Zp . Then, mα (x) =
(x − β).
β∈C(α)
Moreover, xp
n −1
−1=
mα (x)
α
where the product runs over all distinct minimal polynomials mα (x) for α = 0. Proof. Let c(x) =
(x − β)
β∈C(α)
= a0 + a1 x + · · · + ak−1 x k−1 + x k
(ai ∈ GF(p n )).
Rings and Fields 157
Our main task is to show that c(x) is indeed a polynomial over Zp . Toward that end we have (x − β)p = (x p − β p ) (c(x))p = β∈C(α)
=
β∈C(α)
(x p − β)
by Lemma 2.12.6
β∈C(α)
= c(x p ) = a0 + a1 x p + · · · + ak−1 x p(k−1) + x pk .
(2.10)
On the other hand, we also have (c(x))p = (a0 + a1 x + · · · + x k )p = a0 + a1 x p + · · · + ak−1 x (k−1)p + x kp . p
p
p
(2.11)
Equating the coefficients in (2.10) and (2.11) we find that p
ai = ai
(i = 0, 1, . . . , k)
which means that ai is a root of x p − x for i = 0, 1, . . . , k. By Theorem 2.11.2, this means that ai ∈ GF(p) = Zp for all i. Thus, c(x) ∈ Zp [x]. By Lemma 2.12.7, we already know that c(x) | mα (x). Since c(x) and mα (x) are both monic polynomials, it follows from the minimality of mα (x) that c(x) = mα (x) as required. With regard to the final claim, first note that every nonzero element α of n n GF(p n ) is a root of x p −1 − 1 so that x − α divides x p −1 − 1 in GF(p n )[x]. n Thus, in GF(p )[x], we have xp
n −1
−1=
(x − α) α
where the product runs over all nonzero elements α in GF(p n ). If we group together the factors containing elements in the same conjugacy class, then we see from the first part of the theorem that each group of factors becomes the minimal polynomial corresponding to that class of conjugates, and therefore we can write n mα (x) x p −1 − 1 = α
as required.
158 Introduction to Applied Algebraic Systems
Corollary 2.12.9 Let α, β ∈ GF(p n )∗ and α and β be conjugates. Then mα (x) = mβ (x). We finally arrive at the long anticipated verification of the existence of irreducible polynomials of all degrees over the integers modulo p. Corollary 2.12.10 For every prime p and every positive integer n, there exists an irreducible polynomial of degree n over Zp . Proof. By Theorem 2.10.6, we know that there exists a primitive element in GF(p n ). Let α be such an element, let mα (x) be the minimal polynomial for α over Zp , and let the degree of mα (x) be m. By the division algorithm, for any positive integer k, we can write x k = qk (x)mα (x) + rk (x). where qk (x), rk (x) ∈ Zp [x], rk (x) is unique and either rk (x) = 0 or the degree of rk (x) is less than the degree of mα (x) = m. Substituting α into this equation, we find that α k = rk (α). It follows that the number of distinct powers of α (which we know to be p n − 1) must be at most the number of nonzero polynomials of degree less than m, that is, p m − 1. Thus, n ≤ m. On the other hand, for any two polynomials r(x), s(x) of degree less than m r(α) = s(α) ⇒ r(α) − s(α) = 0 ⇒ r(x) = s(x) since the degree of r(x) − s(x) is less than m, the degree of mα (x). Thus the number of elements in GF(p n ), that is, p n is at least as big as the number of polynomials of degree less then m, which is p m . Thus m ≤ n. Therefore we have equality, m = n and mα (x) is a polynomial of degree n. However, by Theorem 2.12.1(iii), minimal polynomials are always irreducible and so mα (x) is an irreducible polynomial of degree n. Example 2.12.11 Consider GF(9) = Z3 [z]/(1 + z 2 ). Here, p = 3. (i) For α ∈ Z3 , mα (x) = x − α. (ii) α = z. We have z 3 = z 2 · z = 2z 2
z 3 = (z 3 )3 = (2z)3 = 8 · z 3 = 8 · 2z = z so that C(z) = {z, 2z} and mz (x) = (x − z)(x − 2z) = x 2 − (3z)x + 2z 2 = x 2 + 4 = x 2 + 1.
Rings and Fields 159
By Corollary 2.12.9, we also have m2z = x 2 + 1. (iii) α = 1 + z. We have (1 + z)3 = 13 + z 3 = 1 + z 2 · z = 1 + 2z 2
(1 + z)3 = ((1 + z)3 )3 = (1 + 2z)3 = 1 + 8z 3 = 1 + 16z = 1 + z so that C(1 + z) = {1 + z, 1 + 2z} and m1+z (x) = m1+2z (x) = (x − (1 + z))(x − (1 + 2z)) = x 2 − 2x + (1 + 2z 2 ) = x 2 − 2x + 5 = x 2 − 2x + 2 = x 2 + x + 2. (iv) α = 2 + z. We have (2 + z)3 = 23 + z 3 = 2 + 2z 2
(2 + z)3 = (2 + 2z)3 = 23 + 23 z 3 = 2 + 2.2z = 2 + z so that C(α) = {2 + z, 2 + 2z} and m2+z (x) = m2+2z (x) = (x − (2 + z))(x − (2 + 2z)) = x 2 − x + (4 + 2z 2 ) = x 2 + 2x + 8 = x 2 + 2x + 2 . Illustrating the final claim of the Theorem 2.12.8, we then have x 8 − 1 = (x − 1)(x − 2)(x 2 + 1)(x 2 + x + 2)(x 2 + 2x + 2). Example 2.12.12 Consider GF(16) = Z2 [z]/(1 + z + z 4 ). Here, p = 2 and α = z is a primitive element.
160 Introduction to Applied Algebraic Systems
(i) Standard calculations show that the conjugate elements are grouped as C(z) = {z, z 2 , z 4 , z 8 } C(z 3 ) = {z 3 , z 6 , z 9 , z 12 } C(z 5 ) = {z 5 , z 10 } C(z 7 ) = {z 7 , z 11 , z 13 , z 14 }. (ii) The corresponding minimal polynomials can then be calculated as mz (x) = 1 + x + x 4 mz 3 (x) = 1 + x + x 2 + x 3 + x 4 mz 5 (x) = 1 + x + x 2 mz 7 (x) = 1 + x 3 + x 4 . (iii) Combining the minimal polynomials we get x 15 − 1 = (1 + x)(1 + x + x 2 )(1 + x + x 4 )(1 + x 3 + x 4 ) × (1 + x + x 2 + x 3 + x 4 ). Exercises 2.12 1. Find minimal polynomials in Q[x] for √ (i) 2 √ (ii) 1 + 2. √ √ 2. (i) Show that 3 ∈ Q( 2). √ √ (ii) Find the minimal polynomial for √3 over Q(√2). (iii) Find the minimal polynomial for 6 over Q( 2). √ √ 3. (i) Show that 4 2 ∈ Q( 2). √ √ (ii) Find the minimal polynomial for 4 2 over Q( 2). 4. (i) Produce a table for GF(8) = Z2 [y]/(y 3 + y + 1) in the style of Example 2.10.7 using the primitive element α = y. (ii) Determine the conjugacy classes of all elements. (iii) Determine the minimal polynomial for each element of GF(8) over Z2 . 5. (i) Determine the conjugacy classes in GF(9) constructed as Z3 [y]/(y 2 + y + 2). (ii) Determine the minimal polynomial for each element of GF(9) over Z3 .
Rings and Fields 161
6. (i) Determine the conjugacy classes in GF(16) as described in Example 2.10.8. (ii) Determine the minimal polynomials for (a) y + y 2 (b) y. 7. Let α ∈ GF(p n ). Show that α is a root of a nonzero polynomial f (x) ∈ Zp [x] with deg(f (x)) ≤ n. (Hint: Consider GF(p n ) as a vector space over Zp .) 8. Let α ∈ GF(p n )∗ and t ∈ N be the smallest integer such that α p = α. Show that the elements t
2
α, α p , α p , . . . , α p
t −1
are all distinct.
2.13 Isomorphisms between Fields
The goal of this section is to demystify the construction of isomorphisms between (small) finite fields. Suppose that f (x) and g (x) are both irreducible polynomials of degree n over Zp . Then we can use either f (x) or g (x) to construct GF(p n ) as Zp [x]/f (x) or Zp [x]/g (x). This means that Zp [x]/f (x) and Zp [x]/g (x) must be isomorphic. But how can we find such an isomorphism? We begin with some simple general observations. Lemma 2.13.1 Let F and G be fields and ϕ : F → G be an isomorphism. (i) ϕ(0F ) = 0G . (ii) ϕ(1F ) = 1G . (iii) char(F ) = char(G). Proof. (i) We have ϕ(0F ) = ϕ(0F + 0F ) = ϕ(0F ) + ϕ(0F ) so that 0G = ϕ(0F ) − ϕ(0F ) = ϕ(0F ) + ϕ(0F ) − ϕ(0F ) = ϕ(0F ). (ii) Exercise.
162 Introduction to Applied Algebraic Systems
(iii) Let m = char(F ) and n = char(G). Then, = n · 1G ϕ(0F ) = 0G = nϕ(1F ) = ϕ(n · 1F ). Since ϕ is injective, it follows that n · 1F = 0F . Hence, m ≤ n. Since ϕ −1 : G → F is also an isomorphism, we also have n ≤ m. Thus, m = n. Now let us be a little more specific and consider isomorphisms between finite fields of the form constructed in section 2.7. Lemma 2.13.2 Let F and G be fields of characteristic p, and ϕ : F → G be an isomorphism. Let h(x) ∈ Zp [x] and α ∈ F . (i) ϕ(a) = a for all a ∈ Zp . (ii) α is a root of h(x) if and only if ϕ(α) is a root of h(x). Proof. (i) Let a ∈ Zp . Then ϕ(a) = ϕ(a · 1) = aϕ(1) = a · 1 = a. (ii) Let h(x) = a0 + a1 x + · · · + an x n . Then, since ϕ is an isomorphism, h(α) = 0 ⇐⇒ a0 + a1 α + · · · + an α n = 0 ⇐⇒ ϕ(a0 + a1 α + · · · + an α n ) = ϕ(0) = 0 ⇐⇒ ϕ(a0 ) + ϕ(a1 )ϕ(α) + · · · + ϕ(an )ϕ(α)n = 0 ⇐⇒ a0 + a1 ϕ(α) + · · · + an ϕ(α)n = 0 ⇐⇒ h(ϕ(α)) = 0 from which the claim follows.
Lemma 2.13.2 provides the key to the construction of isomorphisms between finite fields of the same characteristic. To see how this works, let F = Zp [y]/f (y),
G = Zp [z]/g (z)
where f (x) and g (x) are both irreducible polynomials in Zp [x] of degree n. Then F and G are two descriptions of GF(p n ) and thus are isomorphic. To
Rings and Fields 163
find such an isomorphism ϕ, first recall that the elements of F are represented as polynomials in Zp [y] of degree, at most, n − 1 that is, they are of the form α = a0 + a1 y + a2 y 2 + · · · + an−1 y n−1 . Since ϕ is an isomorphism and since ϕ(a) = a for all a ∈ Zp by Lemma 2.13.2 (i), we must have ϕ(α) = ϕ(a0 ) + ϕ(a1 )ϕ(y) + ϕ(a2 )ϕ(y)2 + · · · + ϕ(an−1 )(ϕ(y))n−1 = a0 + a1 ϕ(y) + a2 ϕ(y)2 + · · · + an−1 (ϕ(y))n−1 . Thus, “all” that we have to do is to define ϕ(y) suitably and this is where Lemma 2.13.2 (ii) comes into play. Somewhat surprisingly, no matter what value we assign to ϕ(y), our mapping will respect addition. To see this, let α = a0 + a1 y + · · · + an−1 y n−1 and β = b0 + b1 y + · · · + bn−1 y n−1 . Then ϕ(α + β) = ϕ((a0 + b0 ) + (a1 + b1 )y + · · · + (an−1 + bn−1 )y n−1 ) = (a0 + b0 ) + (a1 + b1 )ϕ(y) + · · · + (an−1 + bn−1 )(ϕ(y))n−1 = a0 + a1 ϕ(y) + · · · + an−1 (ϕ(y))n−1 + b0 + b1 ϕ(y) + · · · + bn−1 (ϕ(y))n−1 = ϕ(α) + ϕ(β). So the whole problem reduces to that of assigning a value to ϕ(y) that ensures that ϕ respects multiplication. This leads us to the next theorem. Theorem 2.13.3 Let f (x), g (x) ∈ Zp [x] be irreducible monic polynomials of degree n. Let β ∈ Zp [z]/g (z). Then the mapping ϕ: a0 + a1 y + a2 y 2 + · · · + an−1 y n−1 −→ a0 + a1 β + a2 β 2 + · · · + an−1 β n−1
(2.12)
is an isomorphism of F = Zp [y]/f (y) to G = Zp [z]/g (z) if and only if β is a root of f (x). Proof. First suppose that ϕ is an isomorphism. By Theorem 2.7.4 (ii), we know that y is a root of f (x) and so, by Lemma 2.13.2, it follows that β = ϕ(y) must also be a root of f (x). Now suppose, conversely, that β = ϕ(y) is a root of f (x). From the discussion preceding the theorem we know that ϕ, as defined in (2.12), respects addition. So it remains to show that ϕ is a bijection and respects multiplication. We leave the verification of the fact that ϕ is a bijection to the exercises, but will
164 Introduction to Applied Algebraic Systems
now show that ϕ respects multiplication. Let u, v ∈ F and apply the division algorithm to the polynomial uv in y: uv = f (y)q(y) + r(y) where r(y) = 0 or deg r(y) < deg (f (y)). Then uv = r(y) in F and ϕ(uv) = ϕ(r(y)) = r(β) whereas ϕ(u)ϕ(v) = u(β)v(β) = f (β)q(β) + r(β) = r(β) since β is a root of f (β). Thus, ϕ respects multiplication and the proof is complete. We illustrate the procedure described here by returning to Example 2.8.1. Example 2.13.4 Let f (x) = 1 + x 2 , g (x) = 2 + x + x 2 ∈ Z3 [x], and set F = Z3 [y]/f (y),
G = Z3 [u]/g (u).
Now y is a root of 1 + x 2 so that under any isomorphism ϕ : F → G, ϕ(y) must also be a root of 1 + x 2 . It is not hard to discover that the roots of 1 + x 2 in G are ±(u + 2). Thus we obtain two isomorphisms ϕ1 , ϕ2 : F → G defined by ϕ1 (a0 + a1 y) = a0 + a1 (u + 2) and ϕ2 (a0 + a1 y) = a0 − a1 (u + 2). To illustrate the action of ϕ1 on products, consider (1 + y)(2 + y) = 2 + 3y + y 2 = 2 + 2 = 1 so that ϕ1 ((1 + y)(2 + y)) = ϕ1 (1) = 1.
Rings and Fields 165
On the other hand, ϕ1 (1 + y)ϕ1 (2 + y) = (1 + u + 2)(2 + u + 2) = u(u + 1) = u2 + u = 1. Thus,
ϕ1 ((1 + y)(2 + y)) = ϕ1 (1 + y)ϕ1 (2 + y).
An interesting special case of the previous discussion occurs when we take F = G. In that case we obtain an isomorphism of F to itself—in other words, an automorphism of F . For example, suppose that we take F to be as in Example 2.13.4 and G = F . Then the roots of f (x) in F are y (which we already knew) and 2y. Consequently, we will obtain a nontrivial automorphism of F if we define ϕ(y) = 2y that is, ϕ(a0 + a1 y) = a0 + 2a1 y. We are now finally in a position to establish the uniqueness of the Galois field with p n elements. Corollary 2.13.5 For each prime number p and each n ∈ N there is a unique field with p n elements. Proof. We have seen that for each prime number p and each n ∈ N there exists a field with p n elements. It remains to establish uniqueness. To this end, let F and G be fields with p n elements. Then necessarily F and G both have characteristic p and the prime subfield of each is (isomorphic to) Zp . Let α be a primitive element in F with minimal polynomial mα . By the proof n of Corollary 2.12.10, deg(mα ) = n. By Theorem 2.12.8, mα | x p −1 − 1. n n p However, G has p elements, all of which are roots of x − x = 0, and n n therefore x p − x = x(x p −1 − 1) has a complete set of roots in G. But, n mα (x) is an irreducible factor of x p −1 − 1 in Zp [x]. Therefore, G contains a complete set of roots for mα (x). Let β be any of the roots of mα (x) in G. Since deg(mα ) = n, it follows that 1, α, α 2 , . . . , α n−1 are independent as vectors in F as a vector space over Zp . Therefore these elements form a basis for F (which has dimension n). Now define θ : F −→ Zp [y]/mα (y) by θ : a0 + a1 α + · · · + an−1 α n−1 −→ a0 + a1 y + · · · + an−1 y n−1 .
166 Introduction to Applied Algebraic Systems
The same argument as in the proof of Theorem 2.13.3 will now show that θ is an isomorphism. Similarly G is isomorphic to Zp [z]/g (z) for some irreducible polynomial g (z) ∈ Zp [z] of degree n. But, as we saw earlier, G contains a root β of mα (x). Consequently, by Theorem 2.13.3, the fields Zp [y]/mα (y) and Zp [z]/g (z) are also isomorphic. So we have F∼ = Zp [z]/g (z) ∼ = G. = Zp [y]/mα (y) ∼ Therefore, the fields F and G are also isomorphic, as required.
Exercises 2.13 1. Construct an isomorphism from F = Z2 [y]/(1 + y + y 3 )
to G = Z2 [z]/(1 + z 2 + z 3 ).
2. Construct an isomorphism from F = Z3 [y]/(2 + y + y 2 )
to G = Z3 [z]/(2 + 2z + z 2 ).
3. Construct a nonidentity automorphism of F = Z5 [y]/(1 + y + y 2 ). 4. Show that the mapping ϕ constructed in the converse part of Theorem 2.13.3 is a bijection. 5. The elements y and 1 + y are both primitive in GF(9) = Z3 [y]/(2 + y + y 2 ) (see text). Show that there does not exist an automorphism ϕ of GF(9) with ϕ(y) = 1 + y. 6. Let F and G be finite fields of characteristic p, and ϕ : F → G be an isomorphism. Let α ∈ F . Show that (i) α is primitive if and only if ϕ(α) is primitive (ii) mα (x) = mϕ(α) (x). 7. Let F be a subfield of a field G and α, β ∈ G have the same minimal polynomial m(x) ∈ F [x] of degree n. Define ϕ : F (α) → F (β) (see Exercise 10 in section 2.7 for the definition of F (α), F (β)) by ϕ(a0 + a1 α + · · · + an−1 α n−1 ) = a0 + a1 β + · · · + an−1 β n−1 . Show that ϕ is an isomorphism of F (α) to F (β).
Rings and Fields 167
8. In the notation of Example 2.12.10, let α = z, β = 2z. Show that the mapping (a, b ∈ Z3 )
ϕ : a + bα −→ a + bβ
is an automorphism of GF(9). (Hint: Recall Exercise 10 in section 2.6.) 9. Repeat Exercise 8 with α = 1 + z and β = 1 + 2z. 10. Let α be a primitive element in GF(p n ). Show that every conjugate β of α is also primitive. 11. Let F be a subfield of the finite field G, α ∈ G\F , and mα (x) be the minimal polynomial for α over F . Show that the fields F (α) and F [y]/mα (y) are isomorphic. ∗∗ 12.
The addition and multiplication tables for the hexadecimal field H are provided here. This system is commonly used in communication systems because its 16 elements can be represented by packets of 4 0/1 bits more efficiently than can the decimal system. Identify this field by giving (i) a polynomial description of the field together with (ii) the corresponding polynomial form for each element in the table and (iii) the description of each element in the table as a power of a primitive element/polynomial. (a) Addition Table
+ 0 1 2 3 4 5 6 7 8 9 A B C D E F
0 0 1 2 3 4 5 6 7 8 9 A B C D E F
1 2 1 2 0 3 3 0 2 1 5 6 4 7 7 4 6 5 9 A 8 B B 8 A 9 D E C F F C E D
3 3 2 1 0 7 6 5 4 B A 9 8 F E D C
4 5 6 4 5 6 5 4 7 6 7 4 7 6 5 0 1 2 1 0 3 2 3 0 3 2 1 C D E D C F E F C F E D 8 9 A 9 8 B A B 8 B A 9
7 7 6 5 4 3 2 1 0 F E D C B A 9 8
8 8 9 A B C D E F 0 1 2 3 4 5 6 7
9 A 9 A 8 B B 8 A 9 D E C F F C E D 1 2 0 3 3 0 2 1 5 6 4 7 7 4 6 5
B B A 9 8 F E D C 3 2 1 0 7 6 5 4
C D E C D E D C F E F C F E D 8 9 A 9 8 B A B 8 B A 9 4 5 6 5 4 7 6 7 4 7 6 5 0 1 2 1 0 3 2 3 0 3 2 1
F F E D C B A 9 8 7 6 5 4 3 2 1 0
168 Introduction to Applied Algebraic Systems
(b) Multiplication Table
× 0 1 2 3 4 5 6 7 8 9 A B C D E F
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6 7 8 9 A B C D E F
2 3 4 0 0 0 2 3 4 4 6 8 6 5 C 8 C 3 A F 7 C A B E 9 F 3 B 6 1 8 2 7 D E 5 E A B 7 5 9 4 1 F 1 D D 2 9
5 0 5 A F 7 2 D 8 E B 4 1 9 C 3 6
6 0 6 C A B D 7 1 5 3 9 F E 8 2 4
7 8 0 0 7 8 E 3 9 B F 6 8 E 1 5 6 D D C A 4 3 F 4 7 2 A 5 2 C 9 B 1
9 0 9 1 8 2 B 3 A 4 D 5 C 6 F 7 E
A 0 A 7 D E 4 9 3 F 5 8 2 1 B 6 C
B C 0 0 B C 5 B E 7 A 5 1 9 F E 4 2 7 A C 6 2 1 9 D D F 6 3 8 4 3 8
D E 0 0 D E 9 F 4 1 1 D C 3 8 2 5 C 2 9 F 7 B 6 6 8 3 4 E A A B 7 5
F 0 F D 2 9 6 4 B 1 E C 3 8 7 5 A
2.14 Error Correcting Codes
In electronic communications such as with satellites, space stations, Mars landers, or cellular phones, the signals can be weak or there may be interference as a result of background noise, resulting in the loss or corruption of some of the transmitted data. In data storage on CDs, DVDs, hard drives, and so on, data can also become corrupted for various reasons such as scratches or magnetic interference. The exponential growth in data storage and digital communication would not have been possible without the development of techniques to deal with such problems. If you are chatting with a friend at a noisy party and don’t catch a comment (“Was that ‘If you join our firm we can offer you a handsome salary’ or ‘If you join our firm we can’t offer you a handsome salary’?”), the solution is easy. You just say, “Pardon, but I didn’t catch that. Could you repeat it please”. This approach, known as the automatic repeat request, can be a simple and effective solution. If an error or ambiguity is detected, then you ask for the message to be repeated. Bar codes like the UPC are designed with this approach in mind. It is designed to detect (most) errors in the scanning process and then, if an error is detected, the bar code should simply be read again. But what if it is impractical to request that every message containing an error be resent (for example, from a Mars lander), or if the source of data
Rings and Fields 169
has been damaged and resending or rereading the data will not improve the situation (as would be the case with a scratch on a CD)? In these situations, the only solution is to accept that there will be some errors and try to devise means to correct them. This is where error correcting codes play a critical role. The basic idea is to introduce a sufficient amount of redundancy (a bit like the check digits in bar codes) to make it possible to reconstruct the original message. Of course, it should be appreciated that error correction can’t work miracles and can only be effective in the presence of a relatively small number of errors. If you toss a CD in the fire for a couple of minutes, it is not likely that you will be able to recover much of the data afterward. On the other hand, it can do some very impressive things. For instance, if you happen to scratch a CD with a ring or scratch it when you put it into its sleeve, then you might hope that the error correcting features of the CD would fix that well enough that there would be no telltale “clicks”. In general, a code just means a collection of words that might be used in some encoding scheme. For example, at one extreme, one might take all words over some alphabet. If we chose the English alphabet then the code would include all the words in the usual English dictionary, but also “words” such as abcd . . . z, zzzyyywww, yllis, and so forth. If we chose the binary alphabet {0, 1}, then the code would include all binary strings. However, generally speaking one wants to work with a subset of all the words over the chosen alphabet rather than the set of all words, for reasons that will become apparent later. Here we just provide a brief glimpse at one particular approach using one particular class of codes known as linear block codes. In these codes, the digitized data are divided into uniform blocks of convenient size that are then treated as points in a vector space over a finite field. These kinds of codes are used in CDs and DVDs, and were used by NASA on the Mariner spacecraft and on the Voyager spacecraft to transmit data and color photographs from Jupiter, Saturn, Uranus, and Neptune. The following somewhat trivial example illustrates the idea. Suppose that we wish to transmit messages involving just four numbers: 0, 1, 2, and 3. Here are two different ways in which we might encode the letters of our messages:
C1 C2
0 00 000000
1 01 000111
2 10 111000
3 11 111111
If the number 2 is transmitted in C1 (as 10) and an error is introduced so that either 00 or 11 is received, then the receiver has little choice but to assume that 00 (that is, 0) or 11 (that is, 3) was the original message. However, if C2 is used and a single error is introduced, then it is still possible to identify the original message. In addition, even if two errors are introduced, then the recipient will be aware that errors have been introduced.
170 Introduction to Applied Algebraic Systems
Note that when we speak of the code C1 (respectively, C2 ) we mean the set of words used in the code. In the previous example, C1 = {00, 01, 10, 11} C2 = {000000, 000111, 111000, 111111}. We are interested in properties of these sets of words. The actual original encoding (2 → 111000, and so on) is not so important. These codes are both binary since their letters are drawn from Z2 = {0, 1}. More generally, by a code C over a field F of length n, we mean a subset C of F n . Then the elements of C are n-tuples of the form (a1 a2 a3 · · · an ), ai ∈ F . It is clear that the feature of the code C2 used here that makes it possible to recognize that some errors have occurred is the fact that the code words differ from each other in more positions than do the code words in code C1 . A useful measure of this feature is given by the following: For any a = (a1 a2 · · · an ), b = (b1 b2 · · · bn ) ∈ F n , the (Hamming) distance between a and b is d(a, b) = |{i | ai = bi }|. The (Hamming) distance of a code C ⊆ F n is d(C) = min{d(a, b) | a, b ∈ C, a = b}. For example, d((1011011), (0111100)) = 5 whereas d(C1 ) = 1, d(C2 ) = 3. The Hamming distance has properties resembling the familiar properties of distance between two real numbers as measured by the absolute value of their difference. Lemma 2.14.1 For any a, b, c ∈ F n , (i) d(a, b) = 0 ⇐⇒ a = b (ii) d(a, b) = d(b, a) (iii) d(a, c) ≤ d(a, b) + d(b, c). Proof. Parts (i) and (ii) are obvious. (iii) Let a = (ai ), b = (bi ) and c = (ci ). Then ai = ci =⇒ either ai = bi or bi = ci .
Rings and Fields 171
Therefore, |{i | ai = ci }| ≤ |{i | ai = bi }| + {{i | bi = ci }| or d(a, c) ≤ d(a, b) + d(b, c). Consider what happens with codes of small distance. Let C be a code. d(C) = 1. This means that there are two code words u, v with d(u, v) = 1. It only takes one error in the right place to convert the code word u into the code word v and vice versa. So any recipient of the messages u, v, from a channel where it is possible to expect one error, would have no idea whether the original message that was sent was u or v. So such a code would not even detect some quite small errors. d(C) = 2. Now there is at least one pair of code words (say, u, v) that differ from each other in just two positions, but nothing smaller than that. It requires at least two errors in the appropriate positions to convert u to v or vice versa. This means that any single error in a code word will not be sufficient to convert it to a new code word. If a single error is introduced into a code word, then the new word will not be a code word and will therefore be detectable. So we say that a code of distance two can detect single-errors and is called a single-error detecting code. d(C) = 3. For this kind of code, it takes at least three errors in the right positions to change one code word to a second code word. If the channel of communication introduces one or two errors into a code word, the received word will still not be a code word and thus will be recognized as not being a code word. Therefore, this code can detect two errors and would be called a two-error detecting code. However, in this case we can go a step further. If a single error is introduced into a code word u to produce a noncode word w, then it will be recognizable as not being a code word. But now if we ask, as the recipients of the word w, what is the word that was most likely sent, we can see that it would only have taken one error in the transmission of the word u to have produced the word w. However, to obtain w from any other code word v would have required at least two errors in v in the right positions. So, if we feel that it is unlikely that there would be more than one error in the received word, then we may feel that it is a safe bet that u, the nearest neighbor, so to speak, was the original word transmitted. In such a case, the code C is said to be single-error correcting. Being able to “correct” one, two, three, …errors may not seem like much, but it is amazing how by combining codes and adopting techniques such as interleaving words it is possible to spin this out to an ability to correct dozens, even hundreds of errors in a block of transmitted words.
172 Introduction to Applied Algebraic Systems
The nearest-neighbor decoding principle consists of decoding any received word to the nearest code word, if such exists. Theorem 2.14.2 Let C ⊆ F be a code with Hamming distance δ ≥ 2e + 1 where e ∈ N. Let c be a transmitted code word that is received as w with, at most, e errors. Then c is the unique code word satisfying d(c, w) ≤ e. Proof. Exercise.
A code C ⊆ F n is said to be linear if it is a (vector) subspace of F n (over the field F ). The big attraction in dealing with linear codes is that it is much easier to determine the distance of the code than it is for an arbitrary code. Lemma 2.14.3 Let F be a finite field and C be a linear code in F n . Then, d(C) = min{d(w, 0) | w ∈ C, w = 0}. Proof. By the definition of Hamming distance, for any u, v ∈ C, d(u, v) = d(u − v, v − v) = d(w, 0) where w =u−v ∈C
and
0=v −v ∈C
since C is linear. Hence, {d(u, v) | u, v ∈ C} = {d(w, 0) | w ∈ C} and d(C) = min{d(u, v) | u, v ∈ C} = min{d(w, 0) | w ∈ C}. There are three important numbers associated with any linear code C ⊆ F n: (i) n, the length of code words. (ii) dim C. (iii) d(C). In the search for good codes it is desirable to make both d(C) and the ratio (dim C)/n as large as possible. The larger the value of d(C), the greater will be the error-correcting capabilities. The larger the value of (dim C)/n, the more efficiently the code uses space. However, (dim C)/n tends to decrease as
Rings and Fields 173
d(C) increases. This makes the task of finding good codes both challenging and interesting. A linear code C ⊆ F n is cyclic if (a0 a1 · · · an−1 ) ∈ C =⇒ (an−1 a0 · · · an−2 ) ∈ C. For example, C = {(000), (110), (011), (101)} is a cyclic code in Z32 . We will describe a method for constructing cyclic codes that will also give us information about the dimension of the code that we are constructing. Let p be a prime and n > 1. Let R = Zp [x]/(x n − 1). Since x n −1 is reducible, R is not a field. Nonetheless, as before, we can identify the elements of R with the set of all polynomials a0 + a1 x + a2 x 2 + · · · an−1 x n−1
(ai ∈ F )
and the arithmetic of R is considerably simplified by the equality x n = 1. Let g (x) ∈ Zp [x] and g (x) | x n − 1 in Zp [x]. Define Ig (x) = {k(x)g (x) ∈ R | k(x) ∈ Zp [x]} CIg (x) = {(a0 a1 · · · an−1 ) | a0 + a1 x + · · · + an−1 x n−1 ∈ Ig (x) }. Note that Ig (x) is a subset of R and that the polynomial products defining Ig (x) are calculated in R, that is, modulo x n − 1. An important basic property of Ig (x) is that it is closed under multiplication by elements of Zp [x] since we have, for any h(x) ∈ Zp [x], h(x)Ig (x) = {h(x)k(x)g (x) ∈ R | k(x) ∈ Zp [x]} ⊆ {k ∗ (x)g (x) ∈ R | k ∗ (x) ∈ Zp [x]} = Ig (x) . This leads to the following important method for generating cyclic codes.
174 Introduction to Applied Algebraic Systems
Lemma 2.14.4 CIg (x) is a cyclic subspace of Znp . Proof. The verification that CIg (x) is a subspace is left to you as an exercise. To see that CIg (x) is cyclic, we have (taking full advantage of the simplification x n = 1) (a0 · · · an−1 ) ∈ CIg (x) =⇒ a0 + a1 x + · · · + an−1 x n−1 ∈ Ig (x) =⇒ x(a0 + a1 x + · · · + an−1 x n−1 ) ∈ Ig (x) =⇒ a0 x + a1 x 2 + · · · + an−2 x n−1 + an−1 x n ∈ Ig (x) =⇒ a0 x + a1 x 2 + · · · + an−2 x n−1 + an−1 ∈ Ig (x) =⇒ an−1 + a0 x + · · · + an−2 x n−1 ∈ Ig (x) =⇒ (an−1 a0 · · · an−2 ) ∈ CIg (x) so that CIg (x) is indeed cyclic.
The next observation gives us a convenient test for membership in a cyclic subspace of the form CIg (x) from which we can deduce some useful information regarding the dimension of CIg (x) . Lemma 2.14.5 Let g (x) ∈ Zp [x] divide x n − 1 and v = (a0 a1 . . . an−1 ) and h(x) = a0 + a1 x + a2 x 2 + . . . + an−1 x n−1 . Then v ∈ CIg (x) ⇐⇒ g (x) | h(x) in Zp [x]. Moreover, dim(CIg (x) ) = n− deg(g (x)). Proof. By hypothesis, there exists s(x) ∈ Zp [x] such that x n − 1 = g (x)s(x). First assume that v ∈ CIg (x) . By the definition of CIg (x) , h(x) ∈ Ig (x) . In other words, there exists k(x) ∈ Zp [x] such that h(x) = k(x)g (x) mod x n − 1. This means that there exists t (x) ∈ Zp [x] with h(x) = k(x)g (x) + t (x)(x n − 1) = k(x)g (x) + t (x)g (x)s(x) = g (x)(k(x) + t (x)s(x)) where g (x) divides h(x) in Zp [x]. Conversely, suppose that g (x) divides h(x) in Zp [x]. Then there exists k(x) ∈ Zp [x] with h(x) = k(x)g (x) ∈ Ig (x) so that v ∈ CIg (x) .
Rings and Fields 175
For the final claim, let deg(g (x)) = m. We will establish the equivalent claim that Ig (x) has dimension n − deg(g (x)). Let h(x) ∈ Ig (x) . By the first part of the lemma, there exists k(x) ∈ Zp [x] with h(x) = k(x)g (x) in Zp [x] where, necessarily, deg(k(x)) ≤ n − m − 1. Let k(x) = k0 + k1 x + k2 x 2 + · · · + kn−m−1 x n−m−1 . Then h(x) = k(x)g (x) = k0 g (x) + k1 xg (x) + k2 x 2 g (x) + · · · + kn−m−1 x n−m−1 g (x) so that h(x) is a linear combination (over Zp ) of the polynomials g (x), xg (x), x 2 g (x), . . . , x n−m−1 g (x). Since these polynomials have degrees m, m + 1, m + 2, · · · , n − 1, respectively, it is clear that they are independent. Hence, they form a basis for Ig (x) and we have that dim(Ig (x) ) = n − 1 − deg(g (x)), as required. It is clear that in this context, the factorizations of x n −1 are of considerable importance. See the Table of Factorizations of x n − 1 in Z2 [x] for a few such factorizations over Z2 . Table of Factorizations of x n
x −1 x2 − 1 x3 − 1 x4 − 1 x5 − 1 x6 − 1 x7 − 1 x8 − 1 x9 − 1 x 10 − 1 x 11 − 1 x 12 − 1 x 13 − 1 x 14 − 1 x 15 − 1 x 16 − 1
− 1 in Z2 [x]
1+x (1 + x)2 (1 + x)(1 + x + x 2 ) (1 + x)4 (1 + x)(1 + x + x 2 + x 3 + x 4 ) (1 + x)2 (1 + x + x 2 )2 (1 + x)(1 + x + x 3 )(1 + x 2 + x 3 ) (1 + x)8 (1 + x)(1 + x + x 2 )(1 + x 3 + x 6 ) (1 + x)2 (1 + x + x 2 + x 3 + x 4 )2 (1 + x)(1 + x + · · · + x 10 ) (1 + x)4 (1 + x + x 2 )4 (1 + x)(1 + x + · · · + x 12 ) (1 + x)2 (1 + x + x 3 )2 (1 + x 2 + x 3 )2 (1 + x)(1 + x + x 2 )(1 + x + x 2 + x 3 + x 4 )(1 + x + x 4 )(1 + x 3 + x 4 ) (1 + x)16
Example 2.14.6 Let g (x) = (1 + x)(1 + x + x 2 ) = 1 + x 3 . From the table, we see that g (x) | x 6 − 1. Here, g (x) corresponds to the vector
176 Introduction to Applied Algebraic Systems
(100100) ∈ Z62 and CIg (x) = {(000000), (100100), (010010), (001001), (110110), (011011), (101101), (111111)}. By Lemma 2.14.3, we see that d(CIg (x) ) = 2, and it is easy to see that the dimension of CIg (x) is 3. If we choose our parameters carefully, we can get some important information regarding d(CIg (x) ). Theorem 2.14.7 Let p be a prime, k ∈ N, g (x) ∈ Zp [x], g (x) | x n − 1, g (x) | k x p −1 − 1, and α be an element of order n in GF(p k )∗ . Let the roots of g (x) in GF(p k ) contain a run of m consecutive powers of α: α l+1 , α l+2 , . . . , α l+m . Then d(CIg (x) ) ≥ m + 1. Note. By Theorem 2.12.8, x p −1 − 1 has a complete set of roots in GF (p k ) k and, since g (x) divides x p −1 − 1, g (x) also has a complete set of roots in k GF (p ). Since every element of GF(p k )∗ has order dividing p k − 1, it follows that n must divide p k − 1. Furthermore, for any divisor n of p k − 1 and any k primitive element β ∈ GF(p k ), the element α = β (p −1)/n will have order n. Consequently such elements exist and are easy to find. k
Proof. For the sake of simplicity, we will just take l = 0 and m = 3. The proof of the general case uses induction and is a bit more complicated. However, this case illustrates quite well the essential ideas of the general case. Under the assumptions l = 0, m = 3, we wish to establish that d(CIg (x) ) ≥ 4. By Lemma 2.14.3, it will suffice to show that every nonzero element of CIg (x) has at least four nonzero components. So, let C = CIg (x) and consider any nonzero element v = (a0 a1 . . . an−1 ) ∈ C. We want to show that at least four of the ai are nonzero. We will argue by contradiction. Suppose that no more than three of the ai are nonzero and that they are among the three components ar , as , at (at least one of which is nonzero), where r < s < t . Let h(x) = a0 + a1 x + · · · + an−1 x n−1 .
Rings and Fields 177
Then, since g (α i ) = 0, for i = 1, 2, 3, we have v ∈ C =⇒ h(x) ∈ Ig (x) =⇒ g (x) | h(x)
(by Lemma 2.14.5)
=⇒ h(α i ) = 0,
i = 1, 2, 3
=⇒
n−1
aj (α i )j = 0,
i = 1, 2, 3.
j=0
Taking advantage of the fact that all the ai other than ar , as , and at are zero, this reduces to a system of three equations: ar α r + as α s + at α t = 0. ar α 2r + as α 2s + at α 2t = 0. ar α
3r
3s
+ as α + at α
3t
(2.13)
= 0.
Now consider this as a system of three equations in the three unknowns ar , as , at . This system has a determinant of coefficients r α 2r α α 3r
αs
αt
α 2s
α 2t
α 3s
α 3t
= α r+s+t = α r+s+t
= α r+s+t
1
1
1
αr
αs
αt
α 2r
α 2s
α 2t
1
1
1
0
αs − αr
αt − αr
0
α 2s − α r+s
α 2t − α r+t
αs − αr 2s α − α r+s
αt − αr α 2t − α r+t
1 = α r+s+t (α s − α r )(α t − α r ) s α
1 αt
= α r+s+t (α s − α r )(α t − α r )(α t − α s ). However, α is of order n in GF(p k ) and therefore the elements α r , α s , and α t are distinct. Thus, the system of equations (2.13) has a nonzero determinant of coefficients and therefore has a unique solution ar = as = at = 0, which contradicts our assumption. Hence, at least four of the components ai must be nonzero and therefore d(C) ≥ 4, as required.
178 Introduction to Applied Algebraic Systems
Note that the information obtained in Theorem 2.14.7 regarding d(CIg (x) ) can depend on the choice of the element α (see exercises). Note also that Theorem 2.14.7 guarantees a minimum distance for the corresponding code. The actual distance of the code might be larger than the guaranteed minimum. Linear codes of the sort constructed in Theorem 2.14.7 were first developed by R. C. Bose and D. Ray-Chaudhuri and, independently, by A. Hocquenghem. As a result, they are referred to as BCH codes. One important refinement of the BCH codes was introduced by I. Reed and G. Solomon. In Reed-Solomon codes, it is not required that the polynomial g (x) be over the base field (for example, Zp ). This makes it possible to choose exactly the roots that we want g (x) to have and no more. So, for instance, for any element α in GF(p k ) of order n, we can define g (x) = (x − α l+1 )(x − α l+2 ) · · · (x − α l+m ) so that g (x) is guaranteed to have a run of m powers of α as roots, and thus the corresponding code generated by g (x) will have distance of at least m + 1. Of course, the coefficients of code elements are then elements of GF(p k ), rather than the base field or the prime subfield, but this is easily handled computationally. The big gain here is that, by Lemma 2.14.5, as the degree of g (x) decreases, the dimension of the code space increases. Thus, we can achieve a larger code space with the same distance, or a larger distance with the same dimension for the code space. Thus there is an interesting trade-off between the code distance and the code dimension. Example 2.14.8 Let GF(16) = Z2 [z]/(z 4 + z + 1). See Example 2.12.12 for background details. Then α = z is a primitive element. Let g (x) = (x 4 + x 3 + x 2 + x + 1)(x 4 + x 3 + 1) ∈ Z2 [x]. Then g (x) divides x 15 − 1. Moreover (from Example 2.12.12), we see that, x 4 + x 3 + x 2 + x + 1 has roots α 3 , α 6 , α 9 , α 12 x 4 + x 3 + 1 has roots α 7 , α 11 , α 13 , α 14 . It follows that g (x) has the run α 11 , α 12 , α 13 , α 14 among its roots. Therefore, d(CIg (x) ) ≥ 5. The results of this section introduce some of the fundamental concepts in error correcting codes. Hopefully, this will inspire the reader to explore this
Rings and Fields 179
fascinating and important topic further. A nice introduction to algebraically based error correcting codes can be found in [Van]. Exercises 2.14 1. Let C = {(00000), (10101), (11101), (00011)}. Find d(C). 2. For any α = (a1 a2 · · · an ) ∈ Zp n , let w(α) = |{i | ai = 0}|. Then w(α) is called the weight of α. Show that if C ⊆ Zp n is a linear code, then d(C) = min{w(α) | α ∈ C, α = 0}. 3. Let C be the code in Exercise 2, with n = 4. List all elements in the sphere S0 of radius 2 about 0 = (0000) where S0 = {α ∈ C | d(0, α) ≤ 2}. 4. Construct a binary code C ⊆ Z2 8 with 8 elements and d(C) = 4. 5. Let n ∈ N and let C be the binary code of length n consisting of all elements of Z2 n of even “weight”—that is, with an even number of nonzero components. (i) (ii) (iii) (iv)
Show that C is a cyclic code. What is the dimension of C? What is d(C)? Show that C contains exactly half the elements of Z2 n .
6. If a message is transmitted using the code C = {(11000), (01101), (10110), (00011)} decode the following received vectors using the nearest-neighbor decoding strategy: (i) (10100). (ii) (01010). 7. For each of the following polynomials (i) f (x) = x 4 + x + 1 (ii) g (x) = x 4 + x 3 + x 2 + x + 1 (iii) h(x) = (x 4 + x + 1)(x 4 + x 3 + x 2 + x + 1) in Z2 [x], and using the presentation of GF(16) in Example 2.12.11, find a lower bound for d(CIg (x) ) based on Theorem 2.14.7.
180 Introduction to Applied Algebraic Systems
8. In Z2 [x], x 7 − 1 = (x + 1)(x 3 + x 2 + 1)(x 3 + x + 1). Let g (x) = (x + 1)(x 3 + x + 1). (i) (ii) (iii) (iv)
Find the code C corresponding to g (x). Find a primitive element α ∈ GF(8). Which powers of α are roots of g (x)? What can you say about d(C), from the information in (iii)?
9. Prove Theorem 2.14.2. 10. Prove that CIg (x) , as defined prior to Lemma 2.14.4, is a subspace of Znp . 11. Assume the following: The polynomials f (x) = x 5 + x 3 + 1, g (x) = x 5 + x 4 + x 3 + x + 1 ∈ Z2 [x] are irreducible so that, in particular, we may take Z2 [y]/f (y) as a representation of GF(32). Let α = y. Then β = α 3 is a root of g (x). (i) (ii) (iii) (iv)
Find C(α 3 ). What does Theorem 2.14.7 tell us about d(CIg (x) ) based on (i)? Find C(β) (in terms of β). What does Theorem 2.14.7 tell us about d(CIg (x) ) based on (iii)?
3 Groups and Permutations
Groups first appeared in the early part of the 19th century in the study of solutions to polynomial equations by Abel and Galois. Indeed, it appears that Galois was the first to use the term group. The examples that appeared in the work of Abel and Gauss are what we would now recognize as groups of permutations (of roots of polynomials). The abstract definition of a group emerged later in the century in the work of Cayley. Group theory is, perhaps, at its most picturesque in the study of symmetry—a topic that we will be able to introduce here. We will also see its usefulness in various kinds of counting problems. Nowadays, however, group theory is not just a beautiful part of mathematics, but is also an essential tool in such diverse areas as quantum physics, crystallography, and cryptography.
3.1 Basic Properties
A group consists of a nonempty set G together with a binary operation ∗ (that is, a pair (G, ∗)) with the following properties: G1: For all x, y ∈ G, x ∗ y ∈ G. G2: For all x, y, z ∈ G, x ∗ (y ∗ z) = (x ∗ y) ∗ z. G3: There exists an element 1 ∈ G with 1∗x =x ∗1=x 181
for all x ∈ G.
182 Introduction to Applied Algebraic Systems
G4:For all x ∈ G, there exists an element x ∈ G with x ∗ x = x ∗ x = 1. Strictly speaking, it can be argued that axiom G1 is superfluous. If one assumes that the values of a binary operation are always, by definition, in the set itself, then it is not necessary to list this first axiom. However, it is none-the-less useful to include it, since we may inadvertently consider an operation such as subtraction on the set of positive integers where closure is lacking. It is important to appreciate that we have adopted the symbol ∗ to represent an unspecified operation. In particular situations, we would, naturally, replace ∗ with whatever specific symbol seemed most appropriate. For instance, if we were discussing addition of numbers, vectors or matrices, it would be most natural to use the symbol + for addition. On the other hand, if we were discussing multiplication of numbers or matrices, then it would be most natural to adopt the symbol for multiplication. Except when it is really important to identify which operation ∗ is being used, we usually write just xy instead of x ∗ y. The expression xy is referred to as the juxtaposition of x and y. When there is no risk of confusion concerning the operation, it is usual to refer to “the group G”, rather than the more formal “the group (G, ∗)”. Systems (G, ∗) that have some but not all the properties G1 through G4 are also important especially in relation to the theory of automata in theoretical computing science. In particular, (G, ∗) is a semigroup if it has properties G1 and G2, and is a monoid if it has properties G1 through G3. Some aspects of these systems will be explored in the exercises. There are many properties that a group might have in addition to G1 through G4. One is G5. For allx, y ∈ G, x ∗ y = y ∗ x. A group satisfying G5 is called a commutative group or an abelian group (in honor of the Norwegian mathematician N. H. Abel). Example 3.1.1 Some examples of groups are the following: (1) (Q, +), (R, +), (C, +) (2) (V , +), for every vector space V (3) (Q+ , ·), (R+ , ·), (C∗ , ·) (4) (Zn , +) (5) The set of invertible matrices over a field, with respect to matrix multiplication
Groups and Permutations 183
(6) {1, −1, i, −i} under multiplication (7) (F , +) for every field F (8) (F ∗ , ·) for every field F At this point, it is a useful exercise for you to identify some algebraic structures that are not groups (such as real valued functions of a real variable under composition). Lemma 3.1.2 Let G be a group and x ∈ G. (i) G has only one element satisfying G3. (ii) G has only one element x satisfying G4. Proof. (i) Let 1 and e both satisfy G3. Then e = 1e =1
by G3 applied to 1 by G3 applied to e.
(ii) The proof of (ii) is similar to that of (i) and is left to you as an exercise. Let G be a group. We will denote the unique element satisfying G3 by 1, 1G , e, or eG as convenient and call it the identity of G. However, if we are using addition as the group operation (for example, in (Q, +)), then it is more natural to refer to the unique element satisfying G3 as the zero and to denote it by 0. We denote the unique element satisfying G4 by x −1 , unless the group operation is addition, in which case we denote it by −x, and call it the inverse of x. Lemma 3.1.3 Let G be a group and x, y ∈ G. (i) (x −1 )−1 = x. (ii) (xy)−1 = y −1 x −1 . Proof. (i) We leave this for you as an exercise. (ii) We have xy(y −1 x −1 ) = x(yy −1 )x −1 = x 1 x −1 = xx −1 =1
by G2 by G4 by G3 by G4.
Similarly, y −1 x −1 xy = 1. Thus, y −1 x −1 satisfies G4 (with respect to xy) so that y −1 x −1 must be the inverse of xy.
184 Introduction to Applied Algebraic Systems
Lemma 3.1.4 Let G be a group and a, b, c ∈ G. (i) The cancellation laws hold in G—that is, ac = bc ⇒ a = b, ca = cb ⇒ a = b. (ii) The equation ax = b has a unique solution (for x). Proof. (i) We have ac = bc ⇒ (ac)c −1 = (bc)c −1 ⇒ a(cc −1 ) = b(cc −1 ) ⇒ a1 = b1 ⇒ a = b. This establishes the first implication in (i) and the second follows from a similar argument. (ii) We first show that the equation has a solution. Let c = a −1 b. Then ac = a(a −1 b) = (aa −1 )b = 1b =b so that c is a solution. Now suppose that d is also a solution. Then ac = b = ad so that ac = ad and, by part (i), c = d. Thus, the solution is unique.
It is useful when calculating in a group to be able to use exponents, so we define, for any element x of a group G, x 0 = 1, x 1 = x x n+1 = (x n )x x
−n
= (x
−1 n
)
(n ≥ 0) (n > 0).
Similarly, when the operation is addition, we find it useful to adopt the usual notation for multiples: 0 · x = 0, 1 · x = x (n + 1)x = nx + x
(n ≥ 0)
(−n − 1)x = (−n)x − x
(n > 0).
Groups and Permutations 185
Typically we assume that any unspecified group operation is multiplication. However, every result could be reformulated in terms of ∗ or + (even if + is not a commutative operation). Lemma 3.1.5 Let G be a group and x ∈ G. Then, for any m, n ∈ Z, x m x n = x m+n , Proof. Exercise.
(x m )n = x mn .
For any group G, we call |G|, that is, the number of elements in G, the order of G. If x ∈ G and there exists a positive integer m with x m = 1, then we call the least such integer the order of x and denote it by ord (x) or |x|. If there is no such integer, then we say that x has infinite order. Note that we always have |1| = 1 whenever 1 denotes the identity in a group. Example 3.1.6 (1) In (Z, +), every nonzero element has infinite order. (2) In (Z12 , +) we have x 0 1,5,7,11 2,10 3,9 4,8 6
order of x 1 12 6 4 3 2
Lemma 3.1.7 Let G be a group and a ∈ G be an element of order m. Let n ∈ Z. (i) |a −1 | = m. (ii) a n = 1 ⇐⇒ m | n. Proof. (i) Exercise. (ii) If m | n, then there exists an integer k with n = km. Hence, a n = a km = (a m )k = 1k = 1. Conversely, suppose that a n = 1. By the division algorithm, there exist integers q, r with n = qm + r
with 0 ≤ r < m.
186 Introduction to Applied Algebraic Systems
Then 1 = a n = a qm+r = (a m )q a r = 1q a r = a r . By the minimality of m, we must have r = 0. Therefore, n = qm and m | n as desired. If G = {e = a1 , a2 , . . . , an } is a group, then it is possible to construct a multiplication table (sometimes called a Cayley table) that displays the values of all products in G:
e a2 a3 .. . an
e e a2 a3
a2 a2
a3 a3
. . . an an
an
The (i, j)th entry in the table is the element ai aj . An important observation concerning the multiplication table of a group is that the elements in any one row (respectively, column) must all be distinct. This is a consequence of the cancellation law established in Lemma 3.1.4(i). By Lemma 3.1.4(ii), every element of G must appear in each row and column. Thus, each row and each column is a rearrangement of the elements of G. In other words, every Cayley table is a latin square. Example 3.1.8 We will use the idea of a Cayley table to show that there is only one group of order 3 (apart from renaming the elements). Let G be a group of order 3. We know that it must have an identity; let us call it e. Let the remaining elements be a and b. When we look at the Cayley table, we find that there are just four positions to be filled:
e a b
e e a b
a a ∗ ∗
b b ∗ ∗
What options do we have in filling out the second row? We have two positions into which we must place e and b in some order. However, the third column
Groups and Permutations 187
already has a b. So we must place b in the second column and e in the third to obtain the following:
e a b
e e a b
a a b ∗
b b e ∗
This leaves us only one option for the third row:
e a b
e e a b
a a b e
b b e a.
Note that this is essentially the same table as we obtain with (Z3 , +) under the relabeling 0 ↔ e, 1 ↔ a, 2 ↔ b. An interesting way of presenting a group is in terms of generators and relations. For example, if we write G = a, b | a 2 = b 3 = e, ab = b −1 a then we mean that every element of G can be expressed as a product of a’s and b’s, and their inverses, and that the multiplication is completely determined by the relations a 2 = b 3 = e, ab = b −1 a. Notice that, since a 2 = e we have a −1 = a, and since b 3 = e we have b −1 = b 2 , so that we could write ab = b −1 a as ab = b 2 a. Thus, every element of G can be written as a product involving just a and b without using inverses at all. Moreover, if we write down a product x1 x2 x3 · · · xn where each xi ∈ {a, b}, then we can replace every occurrence of ab by b 2 a. This means that every element of G is of the form b r a s for some r, s ≥ 0. Since a 2 = b 3 = e, we can actually restrict r and s so that 0 ≤ r ≤ 2, 0 ≤ s ≤ 1. Hence, G = {e, a, b, ba, b 2 , b 2 a} and we may use the given rules to calculate the full multiplication table.
188 Introduction to Applied Algebraic Systems
There is a very simple way of constructing new groups from “old” groups. Let G1 , . . . , Gn be groups and let G = G1 × G2 × · · · × Gn be endowed with the multiplication ∗ where (a1 , a2 , . . . , an ) ∗ (b1 , b2 , . . . , bn ) = (a1 b1 , a2 b2 , . . . , an bn ). Then (G, ∗) is a group (see the exercises) known as the (external) direct product of the groups G1 , . . . , Gn . The basic properties of the direct product of groups are explored more fully in section 4.3. Of course, to be able to take advantage of this construction, we need to have a good supply of groups to start with. One important and interesting family of groups arises as discussed next. Let P be a set of points in R1 , R2 , or R3 . Then a rotational symmetry of P is a bijection of the set P to itself that can be achieved by means of some rigid physical motion. Usually we want to take P to be the set of points in some geometric shape like a triangle, square, . . . or cube, tetrahedron, and so on, or perhaps to be the set of vertices of such a shape. It is a somewhat surprising fact that every rigid motion of an object in three dimensions that leaves the object occupying exactly the same space as it did before the motion (but with a different orientation) can be achieved by means of a single rotation about some axis through the object. The verification of this important fact unfortunately lies beyond the scope of this introductory text. For any fixed figure P, we can combine such rotations by performing them successively one after the other. We can also invert them by reversing the rotation, and there is an “identity” that leaves everything fixed. In this way we obtain a group of rotational symmetries. Note that, if R and S are both rotational symmetries then we write RS to represent the rotational symmetry that is obtained by first applying S and then R. This is consistent with the manner in which we write the composition of two functions. Example 3.1.9 (1) A line segment has 2 rotational symmetries. (2) An equilateral triangle has 6 rotational symmetries. (3) A square has 8 rotational symmetries. (4) A regular n-gon has 2n rotational symmetries. We will denote the group of symmetries of an equilateral triangle by D3 , of a square by D4 , and of a regular n-gon by Dn .
Groups and Permutations 189
Consider the rotational symmetries of a square: .... ... . ....... .......... ............... ..... .... .
. ... ... ... .... .. . ......... ... .. .... ............ .......... . . . . . . ..... .. ......... .. ................. ... . .... .................................................................................................................. . . . ..... ..... .. ... ... .... ... .... . ... .... ... . ... . ... ... .... . ... ... ... . ... . . ... ... .... . ... . ... . .. . . ... . ... ...... .... ... .. ... .... . . ... . ........ ......... ............. ........ ........ .. ........... .......... ........ ........ ........ ........ ........ ........ ........ ... . . . ... . . . . . ... ... .. . ....... ..... ......... ........ ... .. ..... .... . ... .. ............................ ... ... ... ... ... .... . ... . . . . . ... ... . . .... ... .. .... .... . ... ... .... ..... ... .... ................................................................................................................... .. ... .. ... .... ... .. . .. ... .... .. . ... ... .... . . . ...
r a
A
rd
D
r
c r
B
b r
>
C
Let R denote the clockwise rotation through 90◦ about an axis that is perpendicular to the plane of the square. Repeating this rotation gives us 4 distinct rotations, including the identity I : I , R, R 2 , R 3 . In addition to these rotations (in the plane of the square), it is clear that we can also flip the square over—that is, by rotating the square through 180◦ about one of the following axes: ρA1 : the axis A1 that runs from top left to bottom right ρA2 : the axis A2 that runs from top right to bottom left ρA3 : the axis A3 that runs from top middle to bottom middle ρA4 : the axis A4 that runs from left side middle to right side middle. By considering all possible positions of the corners, we see that we have found all possible rotations and it is easily confirmed that all combinations of rotations will yield rotations so that we do indeed have a group of rotations D4 = {I , R, R 2 , R 3 , ρA1 , ρA2 , ρA3 , ρA4 }. If we let ρ = ρA1 , it is easy to see that ρA2 = R 2 ρ,
ρA3 = Rρ,
ρA4 = R 3 ρ
(always remembering that we are composing functions so that in computing Rρ, we apply ρ first and then R). This allows us to list the elements of D4 as D4 = {I , R, R 2 , R 3 , ρ, Rρ, R 2 ρ, R 3 ρ}
190 Introduction to Applied Algebraic Systems
where every rotation is expressed as a product of powers of just two rotations— namely, R and ρ—which is often useful. There is nothing special about the choice of ρ = ρA1 here; any of the choices ρ = ρA2 , ρ = ρA3 , ρ = ρA4 would work equally well. Note that |D4 | = 8. In a similar manner we can see that Dn = {I , R, R 2 , . . . , R n−1 , ρ, Rρ, . . . , R n−1 ρ} where R denotes the rotation about the axis perpendicular to the regular n-gon through an angle of 360◦ /n and ρ denotes a rotation about a suitable axis that bisects the n-gon (see Fig. 3.1). Thus Dn has precisely 2n elements. It is for this reason that the notation for this group is not standard and some authors choose to write D2n (highlighting the size of the group) where we will write Dn , (highlighting the number of vertices of the underlying n-gon). The simplest groups of rotations of three-dimensional objects arise in association with n-faced pyramids, n > 3, with bases forming regular polygons (see Fig. 3.2 for square-based and pentagonal-based pyramids). Clearly, the only rotational symmetries are those about a vertical axis through the apex by multiples of 360◦ /n. If R denotes the rotation through ................................ .............. ........ ........ ...... ..... ...... . . . .... .. . ... . .. ... . ... . . .. . . .. .. .... . . . . ... . .... ........ . . . . . . . . . . . ... . . . .................. .... .... .... .. .. . . . .... ......... ............... .... ... . ............. .... .... .. .... ........ .... ........ . . . .... ........ . .... 2π ........ .... ....n ........ .... .... . ....... .
.. .
...
Figure 3.1
.... ....... ... .. .... .... .. .... ...... .... ....... . . .... . .. .... ... . ... ... . .. .... ... . .. .... ... ... . .... . . . .. .... .. . . . .. .... .. . . . . .... .. .. .. . .... . .. .. ..... . .... . . .. ... .... .... .... ....... .... . . .... .... .... .. .. ... . . . . .. .... .... .... ....... .. .. ... . . . .. .... ......... . .. .. ... . . . . . .. .... ... .. .. ... ... .. .... . ... ... . . . . . . .. .. . .. .... ... .. .. ... ...... .. ... ..... .. ..... .... . . . . . .. .... .... .. ... ................... .. ....................... .. ...... ....................... . . . . . ....................... ................................ .....
Figure 3.2
.......... ............ ...... ........... . . . . .. . .... ... .. .. . ... .... ... ... .. ... ...... . . . .. .. . ... .. .. .... ...... ... .. .. .. .... ... ... ... . ... . .. ... ... ... . .. . ... . . . .. .. ... . .. . . ... ... .... ... . . . . . . . ... ...... . ...... .. ... . . . ........ . . . . ... . . . . .. ... .. . ... . .. . . . . . ... .. .. ..... . . . . . . . .. ... ..... .. .. .... .. . . . ... .... .. . . . . . . . . . .. . . . ...... ... . . . ... ..... . . .. ... ... ..... .. .. ... ... .. .. .. ....... .. . . . . .. .. . .. .. .. .. .. . . ... .. .. . . . . .. .. . .. .. .. .. .. .. ... .. ... .. .. .. . .. . .. .. . . .. ... .. . .. . .. .. .. .. ... . .......................... ................................................... ....... .........
Groups and Permutations 191
360◦ /n, then the group is {I , R, R 2 , . . . , R n−1 }. Exercises 3.1 1. Show that the set of invertible elements in Zn is an Abelian group with respect to multiplication. 2. Are the following groups? (P (X ) denotes the set of all subsets of a set X and for any subsets A and B of X , A ∗ B = (A\B) ∪ (B\A).) (i) (ii) (iii) (iv) (v)
(Z, −). (Q∗ , ÷). (P (X ), ∩). (P (X ), ∗). (Zn , · ).
3. Let X be a nonempty set. (i) Is the set TX of all mappings of X to X a group? (ii) Is the set of all injective mappings from X to X a group? (iii) Is the set of all surjective mappings from X to X a group? 4. Show that the set U = {1, −1, i, −i} of complex numbers is a group with respect to multiplication. 5. Suppose that G is a finite subset of (R∗ , · ), which is a group. Describe the possibilities for G. 6. Write out the Cayley table for (Z4 , +). 7. Write out the Cayley table for the group U of invertible elements in (i) Z6 (ii) Z8 (iii) Z10 . 8. Let G = {e, a, b, c}. Using the fact that Cayley tables are latin squares, show that there are essentially (that is, to within just exchanging the roles of elements a, b, c) only two group structures on G with e as the identity. (These two groups must look like (Z4 , +) and (Z2 , +) × (Z2 , +). The group (Z2 , +) × (Z2 , +) is called the Klein 4-group.) 9. Show that the inverse of an element in a group is unique. 10. Show that for any element x in a group G (i) (x −1 )−1 = x (ii) |x −1 | = |x|.
192 Introduction to Applied Algebraic Systems
11. Let G be a group, a, b ∈ G, |a| = m, |b| = n. Establish the following: (i) k | m =⇒ |a k | = mk . (ii) (k, m) = 1 =⇒ |a k | = m. (iii) ab = ba, (m, n) = 1 =⇒ |ab| = mn. 12. Let G be a group. Show that there is exactly one element x ∈ G such that x 2 = x. 13. Let x and y be elements of a group such that (xy)2 = x 2 y 2 . Show that xy = yx. 14. Let G be a group such that x 2 = e for all x ∈ G. Show that G is abelian. 15. Let (G, ∗) be the direct product of the groups Gi where Gi has identity ei . Show that (G, ∗) is a group where (i) eG = (e1 , . . . , en ) (ii) (a1 , . . . , an )−1 = (a1−1 , a2−1 , . . . , an−1 ) (iii) |G| = |G1 | |G2 | · · · |Gn |. 16. Describe every element of D3 as a single rotation and as a product of powers of two “generating” rotations. 17. Describe every element of Dn as a single rotation. 18. Construct a Cayley table for D3 . 19. Show that Dn (n ≥ 3) is not abelian. ∗ 20.
Let F be a field. Show that the set Aut(F ) of all automorphisms of F is a group with respect to composition of functions.
21. Let P be the prime subfield of a field F . Show that α(a) = a for all a ∈ P, α ∈ Aut(F ). 22. Let X be a nonempty set and F denote the set of all sequences of the form x1 x2 · · · xn (xi ∈ X ), including the empty sequence ∅. Define the product of two words in F to be the word obtained by joining the two sequences
(x1 x2 · · · xm ) ∗ (y1 y2 · · · yn ) = x1 x2 · · · xm y1 y2 · · · yn . Show that (F , ∗) is a monoid. 23. Show that the set TX of all mappings from a set X to itself under composition of functions is a monoid. 24. Show that the set CR of all continuous functions from R to R under composition of functions is a monoid.
Groups and Permutations 193
25. Let I be a nonempty set and S = I × I and define a multiplication on S by (i, j) ∗ (k, ) = (i, ). Show that S is a semigroup and is a monoid if and only if |I | = 1. 26. Let S be a semigroup. Define the relations L and R on S by a L b ⇐⇒ Sa ∪ {a} = Sb ∪ {b}
and
a R b ⇐⇒ aS ∪ {a} = bS ∪ {b}.
(i) Show that L and R are equivalence relations on S. (ii) Let a, b, c, d, x, y ∈ S be such that a L b, b R c, a = xb
and
c = by.
Let d = xby. Show that a R d and d L c. 27. Let S be a monoid and call an element a ∈ S invertible if there exists an element x ∈ S with ax = xa = 1. Show that the set U of all invertible elements of S is a group.
3.2 Subgroups
Let H be a subset of G. If H is itself a group under the same operations as in G, then H is a subgroup of G. For every group G, we always have the subgroups {e} and G. We refer to {e} as the trivial subgroup. If H is a subgroup of G and H = G, then H is a proper subgroup. Since not all subsets are subgroups, our first task is to develop a suitable test for subgroup status! Theorem 3.2.1 Let H be a nonempty subset of a group G. Then the following statements are equivalent: (i) H is a subgroup of G. (ii) a, b ∈ H =⇒ ab, a −1 ∈ H . (iii) a, b ∈ H =⇒ ab −1 ∈ H . Note: Before proceeding to the proof, take note of the important precondition that H = ∅. The easiest way to establish that H = ∅ is usually to show that e ∈ H. Proof. (i) implies (ii). Let a, b ∈ H . From the definition of a subgroup, we know immediately that ab ∈ H . We also know that H must have an identity eH . If e denotes the identity of G, then e eH = eH = eH eH
194 Introduction to Applied Algebraic Systems
so that, by cancellation in G, we have eH = e. Let a −1 denote the inverse of a in G. Since H is a subgroup, there exists x ∈ H with ax = e = aa −1 . Again, by cancellation in G, we have a −1 = x ∈ H . (ii) implies (iii). Let a, b ∈ H . By (ii), we have b −1 ∈ H and, therefore, by (ii) again we have ab −1 ∈ H . (iii) implies (i). By hypothesis, H = ∅. So let a, b ∈ H . Then e = aa −1 ∈ H
(3.1)
b −1 = eb −1 ∈ H
(3.2)
from which we have ab = a(b −1 )−1 ∈ H . Thus, H is closed under the operation of G. The multiplication must be associative, since it is associative in G. By (3.1) we know that H contains an identity element and, by (3.2), each element of H has an inverse in H . Therefore G1 through G4 are satisfied and H is a group with respect to the operation in G. As part of the proof of Theorem 3.2.1, we have shown that a group and a subgroup must share the same identity. For the sake of highlighting this fact, we state it separately. Corollary 3.2.2 Let H be a subgroup of G. Then H and G have the same identity. Theorem 3.2.3 Let G be a group and a ∈ G. Then a = {a n | n ∈ Z} is a subgroup of G. Proof. Since a = a 1 ∈ G, we know that G = ∅. For a m , a n ∈ a we have a m (a n )−1 = a m a −n = a m−n ∈ a. By Theorem 3.2.1, a is a subgroup.
We refer to the subgroup a introduced in Theorem 3.2.3 as the (cyclic) subgroup of G generated by a. If a = G, then we say that G is a cyclic group generated by a. More generally, for any nonempty subset A of G, we denote the
Groups and Permutations 195
set of all products of elements, or inverses of elements from A by A. Then A is a subgroup of G, indeed, the smallest subgroup of G containing A and we call it the subgroup generated by A. For the sake of completeness, we define the subgroup generated by the empty set ∅ to be {1}. Thus ∅ = 1 = {1}. Example 3.2.4 In (Z12 , +), we have 0 = {0} 1 = 5 = 7 = 11 = Z12 2 = 10 = {0, 2, 4, 6, 8, 10} 3 = 9 = {0, 3, 6, 9} 4 = 8 = {0, 4, 8} 6 = {0, 6}. An important subgroup of any group G is its center: Z (G) = {a ∈ G | ax = xa
for all x ∈ G}.
We say that two elements a, b in a group G commute if ab = ba. Thus the center of a group G consists of those elements that commute with every other element of the group. Example 3.2.5 For every group G, the center Z (G) of G is a subgroup of G. Proof. Exercise.
It is time to give a formal expression to the idea that two groups are “essentially the same”. Let (G, ∗) and (H , ·) be groups. A mapping ϕ : G → H is a homomorphism if (i) ϕ(a ∗ b) = ϕ(a) · ϕ(b) for all a, b ∈ G. If, in addition, we have (ii) ϕ is bijective then we say that ϕ is an isomorphism and that (G, ∗) and (H , ·) (or simply G and H ) are isomorphic and write G ∼ = H. Example 3.2.6 Let θ : a → e a (a ∈ R) ϕ : a → n a (a ∈ R+ )
196 Introduction to Applied Algebraic Systems
where e is the usual exponential constant 2.71 . . . from calculus. Then θ is an isomorphism of (R, +) to (R+ , ·) and ϕ is an isomorphism from (R+ , ·) to (R, +). Theorem 3.2.7 Let G be a cyclic group with generator a. (i) If there exist distinct integers i and j with a i = a j , then there exists n ∈ N and an isomorphism ϕ : G → (Zn , +) with ϕ(a) = 1. (ii) Otherwise, G ∼ = (Z, +). Proof. (i) Let i and j be distinct integers with a i = a j . Without loss of generality, we may assume that i < j. Then e = a i a −i = a j a −i = a j−i where j − i > 0. Thus, we know that for some positive integer k, we have a k = e. Let n be the smallest positive integer such that a n = e. The preceding argument then shows that the elements e, a, . . . , a n−1 are all distinct. For any m ∈ Z, let q and r ∈ Z be such that m = nq + r
0 ≤ r < n.
Then a m = (a n )q a r = a r . Hence, G = {e = a 0 , a, . . . , a n−1 }. Now define ϕ : G → Zn by ϕ(a r ) = r
0 ≤ r ≤ n − 1.
Clearly, ϕ is a bijection. Also, for any i, j ∈ {0, 1, 2, . . . , n − 1}, let s, t ∈ Z be such that i + j = ns + t
0 ≤ t ≤ n − 1.
Groups and Permutations 197
Then ϕ(a i a j ) = ϕ(a i+j ) = ϕ(a t ) =t ≡n i + j = ϕ(a i ) + ϕ(a j ) and ϕ is an isomorphism. (ii) Now suppose that for all distinct integers i, j we have a i = a j . Define ϕ : G → Z by ϕ(a i ) = i
(i ∈ Z).
It follows immediately from the hypothesis in this case that ϕ is a bijection. Also ϕ(a i a j ) = ϕ(a i+j ) = i + j = ϕ(a i ) + ϕ(a j ). Therefore ϕ is an isomorphism.
Corollary 3.2.8 Let G be a group and a ∈ G. Then the order of a equals the order of a—that is, |a| = |a|. Proof. If there exist distinct integers i, j ∈ Z with i = j and a i = a j , then by Theorem 3.2.7, there exist n ∈ N and an isomorphism ϕ : a → Zn such that ϕ(a) = 1. Then |a| = |Zn | = n whereas |a| = |ϕ(a)| = |1| = n . Thus, |a| = |a|. If, on the other hand, a i = a j whenever i = j, then clearly |a| and |a| are both infinite. The following notation is useful when discussing the subgroups of Z or Zn . For any abelian group (G, +) and any m ∈ N, let mG = {mg | g ∈ G}. This will be explored further in the exercises.
198 Introduction to Applied Algebraic Systems
Exercises 3.2 1. Let Q+ = {x ∈ Q | x > 0}. (i) Is (Q + , +) a subgroup of (Q, +)? (ii) Is (Q + , ·) a subgroup of (Q, +)? (iii) Is (Z∗7 , ·) a subgroup of (Z7 , +)? 2. Find the smallest subgroup of (Z16 , +) containing (i) 10 (ii) 4 and 7. 3. Find all subgroups of (i) D3 (ii) D4 . Show that D4 contains a subgroup that is not cyclic. 4. Find subgroups of Dn of orders 2 and n. 5. Let G be a group. Show that the center Z (G) of G is a subgroup. 6. Let G be a group and a ∈ G. Show that ZG (a) = {x ∈ G | ax = xa} is a subgroup of G. 7. Find (i) (ii) (iii) (iv) ∗ 8.
Z (D3 ) Z (D4 ) Z(D2n+1 ), n ≥ 2 Z(D2n ), n ≥ 2.
Let Q8 be the subgroup of the group of 2 × 2 invertible matrices with complex entries generated by the matrices A= (i) (ii) (iii) (iv) (v)
0 −1
1 0
B=
0 i
i 0
.
Find the 8 elements of Q8 . Show that Q8 is not isomorphic to D4 . Show that Q8 is not commutative. Find all subgroups of Q8 . Show that every proper subgroup of Q8 is cyclic.
Q8 is known as the quaternion group. ∗ 9.
(Alternative definition of Q8 .) Let Q8 = a, b | a 4 = e, b 2 = a 2 , ba = a −1 b.
Groups and Permutations 199
Show that every element in Q8 can be written in the form a i b j where 0 ≤ i ≤ 3, 0 ≤ j ≤ 1, and deduce that |Q8 | = 8. (By completing the Cayley tables for Q8 (as in Exercise 8) and as defined here, it becomes evident that the correspondence a ↔ A, b ↔ B provides an isomorphism between the two descriptions.) 10. Let G be a group and H be a finite subset of G such that (i) H = ∅ (ii) a, b ∈ H =⇒ ab ∈ H . Show that H is a subgroup of G. 11. Let (G, +) be an abelian group and m ∈ N. Show that mG is a subgroup of G. 12. Let (G, +) be an abelian group and n ∈ N. Show that Gn = {a ∈ G | na = 0} is a subgroup of G. 13. Show that every subgroup A of (Z, +) is of the form m Z for some m ∈ N. 14. Show that every subgroup A of (Zn , +) is of the form m Zn for some m ∈ N such that m | n. 15. Show that if H and K are subgroups of a group G, then so also is H ∩ K . 16. Let ϕ : G → H be an isomorphism where G and H are groups. Let a ∈ G. (i) Show that ϕ(a −1 ) = ϕ(a)−1 . (ii) Show that |ϕ(a)| = |a|. 17. Let G, H be groups and ϕ : G → H be a homomorphism. (i) Show that ϕ(G) = {ϕ(a) | a ∈ G} is a subgroup of H . (ii) Show that ker(ϕ) = {a ∈ G | ϕ(a) = eH } is a subgroup of G. 18. Show that (Z2 , +) × (Z2 , +) is not isomorphic to (Z4 , +). 19. Show that (Z2 , +) × (Z3 , +) is isomorphic to (Z6 , +). 20. Let m, n ∈ N be relatively prime. Show that (Zm , +) × (Zn , +) is isomorphic to (Zmn , +). 21. Find an irregular m-gon with a group of rotations isomorphic to (Zn , +). 22. Let F be a field and H a subgroup of Aut(F ). Show that K = {a ∈ F | α(a) = a is a subfield of F .
for all α ∈ H }
200 Introduction to Applied Algebraic Systems
23. Let G be a group. (i) Show that, for any a ∈ G, the mapping ϕa : x → axa −1
(x ∈ G)
is an isomorphism of G to itself. (ii) Show that the mapping (a ∈ G)
θ : a → ϕa
is a homomorphism of G into the group of permutations SG of G. (iii) Show that the kernel of θ —that is, {a ∈ G | θ(a) = e}—is equal to Z (G), the center of G.
3.3 Permutation Groups
By a permutation of a set X we mean a bijection of X onto X . Generally, we denote the set of all permutations of X by SX . However, if X = {1, 2, 3, . . . , n} then we write SX = Sn . Let α ∈ Sn . Since α is defined on a finite set and has only a finite number of values, we can display them in an array with two rows: α=
1 α(1)
2 α(2)
n . α(n)
...
3 α(3)
For example,
1 α= 2
2 3
3 5
4 4
5 1
means that α ∈ S5 and α(1) = 2, α(2) = 3, α(3) = 5, α(4) = 4, α(5) = 1. An element of the form
1 a1
2 a2
3 a3
...
n an
describes a unique permutation of Sn if and only if every element of {1, 2, . . . , n} appears exactly once in the second row. The number of ways in which this can happen is precisely n!. Thus we have the following lemma.
Groups and Permutations 201
Lemma 3.3.1 |Sn | = n!. Of special importance is the identity permutation on a set X defined by (x) = x,
for all x ∈ X .
If X = {1, 2, . . . , n}, then we write the identity permutation as
1 = 1
2 2
... n . n
3 3
Since permutations are functions, we can take two permutations α and β (of the same set X ) and form their composition α ◦ β. This is defined as follows: For x ∈ X , α ◦ β(x) = α(β(x)). Generally we write simply αβ for α ◦ β. In S5 , let 1 2 3 4 5 1 α= , β= 2 3 4 5 1 2
2 1
3 4
4 5
5 . 3
Then, αβ =
1 3
2 2
3 5
4 1
5 4
2 1
3 2
4 3
5 . 4
and α has an inverse α
−1
1 = 5
Theorem 3.3.2 For every nonempty set X , the set SX is a group. Proof. (i) For all α, β ∈ SX it is straightforward to verify that α ◦ β is also a bijection so that α ◦ β ∈ SX . Thus, SX is closed under the binary operation ◦. (ii) Since permutations are just special kinds of functions and we have seen in Lemma 1.1.7 that the composition of functions is associative, it follows that the associative law holds in SX . (iii) With denoting the identity permutation, we have α◦ = ◦α =α so that is an identity for SX .
for all α ∈ SX
202 Introduction to Applied Algebraic Systems
(iv) It remains to show that every element has an inverse. Let α ∈ SX . For any y ∈ X there exists a unique x ∈ X with α(x) = y (since α is a bijection). So we can define a mapping β as follows: For every y ∈ X β(y) = x
where α(x) = y.
Then β is a bijection and α ◦ β = β ◦ α = . Thus, β = α −1 . We have now established that SX is a group. For any a1 , a2 , . . . , an ∈ X , n > 1, we denote by (a1 a2 . . . an ) the permutation α of X such that α(ai ) = ai+1
(1 ≤ i ≤ n − 1)
α(an ) = a1 α(x) = x
x ∈ X \{a1 , a2 , . . . , an }.
We call (a1 a2 . . . an ) an n-cycle. For example, (2 5) is a 2-cycle and (1 3 5) is a 3-cycle. Another term for a 2-cycle is transposition. It is convenient to extend this notation to include 1-cycles. By a 1-cycle (a), we will mean the permutation that maps the element a to itself and all other elements to themselves. In other words, a 1-cycle is just another way of writing the identity permutation. This can be a useful device when writing a permutation as a product of cycles. Of course, we can still represent cycles in the previous notation if that is convenient. For instance, in S7 , 1 2 3 4 5 6 7 (1 3 5 7) = . 3 2 5 4 7 6 1 Note that (1 3 5 7) = (3 5 7 1) = (5 7 1 3) = (7 1 3 5) so that there is more than one way to write a cyclic permutation. We can compose cycles easily (but carefully, remembering that the one on the right acts first): 1 2 3 4 5 6 7 (1 3 5 7)(2 3 4 7) = . 3 5 4 1 7 6 2 The inverse of a cycle is also easily determined. Lemma 3.3.3 For all a1 , a2 , . . . , an ∈ X , (a1 a2 . . . an )−1 = (an an−1 . . . a2 a1 ).
Groups and Permutations 203
Proof. Exercise.
As a special case of Lemma 3.3.3, we have (a1 a2 )−1 = (a2 a1 ) = (a1 a2 ). Thus, every transposition is equal to its own inverse. Two cycles (a1 . . . am ) and (b1 . . . bn ) are disjoint if ai = bj for all i, j. In general, permutations do not commute. Even cycles need not commute: (1 2 3)(2 3) = (1 2) (2 3)(1 2 3) = (1 3). However, Lemma 3.3.4 Disjoint cycles commute. Proof. Let α = (a1 a2 . . . am ) and β = (b1 b2 . . . bn ) be disjoint cycles in SX . Then ⎧ for some i ⎨α(x) if x = ai for some j αβ(x) = β(x) if x = bj ⎩ x if x = ai , bj for all i, j = βα(x). Thus, αβ = βα.
The importance of disjoint cycles flows from the following theorem. Theorem 3.3.5 Let X be a finite set. Then every element of SX can be written as a product of disjoint cycles. Moreover, such a representation is unique to within the order in which the cycles are written. Proof. Let α ∈ SX . Pick x ∈ X and consider x, α(x), α 2 (x), . . . . Since X is finite, there exist positive integers i, j with i < j and α i (x) = α j (x). Then, x = α −i α i (x) = α −i α j (x) = α j−i (x) so that the first element to repeat in the sequence x, α(x), α 2 (x), . . . must be x itself. Thus we can represent the action of α on the subset {x, α(x), α 2 (x), . . .} by a cycle (x α(x) α 2 (x) · · · ).
204 Introduction to Applied Algebraic Systems
Now pick y ∈ X \{x, α(x), α 2 (x), . . .} and repeat the argument. This leads to a description of α as a product of disjoint cycles: (x α(x) α 2 (x) · · · )(y α(y) α 2 (y) · · · ) · · · . Clearly, this representation is unique modulo the order of the cycles.
To illustrate the previous theorem, consider
1 4
2 8
3 10
4 6
5 2
6 7 8 9 7 1 5 9
10 = (1 4 6 7)(2 8 5)(3 10)(9) 3 = (1 4 6 7)(2 8 5)(3 10)
where, as is customary, we have omitted cycles of length 1. With the help of cycles, we can list the elements of Sn (for small values of n): S2 = { , (12)} S3 = { , (12), (13), (23), (123), (132)}. Here is an amusing application of cycles. A standard pack of 52 playing cards is shuffled as follows. The pack is numbered 1, 2, 3, . . . , 51, 52 from top to bottom. Now divide the pack into two piles consisting of the first 26 cards and the last 26 cards and “shuffle” them into the order 27, 1, 28, 2, 29, 3, . . . . (i) Show that repeating this process a sufficient number of times will return the cards to their original order. (ii) What is the minimal number of repetitions that will return the pack to its original order? (iii) Can you describe another shuffle that would require a greater number of repetitions to return the pack of cards to its original order? Answer: We are really discussing permutations in S52 . The shuffle that is described consists of one cycle: α = (1 2 4 8 16 32 11 22 44 35 . . . 29 5 10 20 40 27). The order of α is 52. Hence, 52 repetitions of this shuffle will return the pack to its original order and that is the least number of repetitions to achieve this. The “shuffle” corresponding to the permutation β = (1 2 3 . . . .49)(50 51 52) has order 49 × 3 = 714. There are many possible examples.
Groups and Permutations 205
Exercises 3.3 1. Evaluate each of the following in S6 as products of disjoint cycles and in the form
1 a
2 b
3 c
4 d
5 2
6 4
5 e
6 . f
1 6
2 5
(i) (1 3 5)(2 3 4 5). (ii) (1 2 3)(3 4 5)(2 6 3). (iii)
1 2 3 6
3 5
4 1
3 4
4 3
5 2
6 1
9 3
10 . 2
.
(iv) (2 4 3 5 1)−1 . (v) ((2 4 5)(1 3 6))−1 . 2. Find the order of the following elements of S10 : (i) (1 3 5 7). (ii) (1 3 5)(2 4 6 8). (iii) (1 2 3 4)(5 6 7 8 9 10). (iv)
1 5
2 6
3 4 5 9 8 4
6 7 10 1
8 7
3. (i) Express
1 α= 6
2 5
3 1
4 3
5 2
6 4
as a product of transpositions. (ii) Express α = (1 2 3 4 5) as a product of 3-cycles. 4. What is the order of a k-cycle? 5. Show that the product of any two distinct elements in S3 of order 2 yields an element of order 3. 6. Let α ∈ Sn and α = α1 α2 · · · αm as a product of disjoint cycles. Show that |α| = lcm{ |αi | | 1 ≤ i ≤ m}.
206 Introduction to Applied Algebraic Systems
7. What is the largest order of any element in (i) S5 (ii) S6 (iii) S10 ? 8. Define ϕ : Z48 → Z48 by ϕ(a) = 5a
(a ∈ Z48 ).
Show that ϕ is a permutation of Z48 . ∗ 9.
Find Z (S2 ). Show that Z (Sn ) = { } for all n ≥ 3.
10. Find all subgroups of S3 . 11. (i) Show that D3 ∼ = S3 . (ii) Show that Dn is not isomorphic to Sn , for n > 3. 12. Let GF(9) = Z3 [y]/(y 2 + 1). Then ϕ : a → a3
(a ∈ GF(9))
is a permutation of GF(9) called the Frobenius automorphism. Write ϕ as a product of disjoint cycles. ∗ 13.
Let F be a field. For all a, b ∈ F with a = 0, let ta,b be the mapping of F into F defined by ta,b (x) = ax + b
(x ∈ F ).
Show that ta,b ∈ SF and that the set H of all such permutations is a subgroup of SF . (Note that the operation in H is the composition of functions.) ∗ 14.
Let R = Zp [x]/(x n − 1) and α be the mapping defined by α(a(x)) = x · a(x)
(a(x) ∈ R).
Show that α is a permutation of R. 15. Let G be a subgroup of Sn , let A ⊆ {1, 2, . . . , n} and let S(A) = {α ∈ G | α(a) = a, ∀ a ∈ A}. (i) For G = S5 and A = {1, 3}, list the elements of S(A). (ii) For any subgroup G of Sn , show that S(A) is a subgroup of G.
Groups and Permutations 207
16. Let G be the group of rotations of a rectangular box of dimensions a × b × c where a, b, and c are all different. Describe each element of G. 17. Repeat Exercise 16 assuming that a = b = c. 3.4 Matrix Groups
Throughout this section, let F denote an arbitrary field. We will denote by Mn (F ) the set of all n × n matrices over F , with addition and multiplication in F , defined in the usual way: For A = (aij ), B = (bij ) A + B = (aij + bij ),
AB =
) n
* aik akj .
k=1
A third operation of scalar multiplication is also useful. For a ∈ F , aA = (aaij ). We will assume that you have some familiarity with matrices, although perhaps only with matrices with rational or real entries. So we will begin by reviewing, without detailed verification, the basic ideas and results concerning matrices that we require. If you have only seen these results for matrices over the rationals or reals, you should have no difficulty verifying that they hold equally well for matrices over an arbitrary field. Of special importance is the identity n × n matrix In = (dij ) where dij =
1 0
if i = j, otherwise.
Lemma 3.4.1 Mn (F ) is a ring with identity. Proof. See any introductory text on linear algebra and matrices for a verification of the ring axioms, for example [Nic]. Of course, for n > 1, Mn (F ) is a noncommutative ring. The following are called the elementary row operations on a matrix: R1: Multiply a row by a nonzero element a ∈ F ∗ . R2: Interchange two rows. R3: Add a multiple of one row to another different row. The determinant det(A) of an n × n matrix A ∈ Mn (F ) is defined inductively on n as follows: For A ∈ M1 (F ), say A = (a), det(A) = a.
208 Introduction to Applied Algebraic Systems
For A ∈ Mn (F ), with n > 1, let Aij denote the matrix obtained from A by deleting the ith row and jth column. Then det(A) = a11 det(A11 ) − a12 det(A12 ) + · · · + (−1)n−1 a1n det(A1n ). This is known as the Laplace expansion of the determinant across the first row. Thus, det is a function from Mn (F ) to F . For instance, it is easily seen that det(In ) = 1 and that, more generally, if A = (aij ) is a diagonal matrix (that is, aij = 0 if i = j), then det(A) = a11 a22 · · · ann . Another way to calculate the determinant of a matrix A is to reduce A to a simpler matrix using elementary row operations. The next result tells us, among other things, how to keep track of the value of a determinant as we apply elementary row operations. Lemma 3.4.2 Let A ∈ Mn (F ), a ∈ F . (i) det(aA) = a n det(A). (ii) If B is obtained from A by multiplying a row of A by a ∈ F , then det(B) = a det(A). (iii) If B is obtained from A by interchanging the ith and jth rows, where i = j, then det(B) = (−1) det(A). (iv) If B is obtained from A by adding a multiple of one row of A to another, then det(B) = det(A). (v) For all A, B ∈ Mn (F ), det(AB) = det(A) · det(B). Proof. See [HW], [Nic] or [Z] for a complete derivation of these results from the Laplace expansion. A matrix A ∈ Mn (F ) is an invertible matrix if there exists a matrix B ∈ Mn (F ) with AB = BA = In . The next result gives us several ways of determining whether a matrix is invertible. Lemma 3.4.3 Let A ∈ Mn (F ). Then the following statements are equivalent: (i) A is invertible. (ii) There exists a sequence of elementary row operations that, when applied to A, will reduce A to In . (iii) There exists a sequence of elementary row operations that, when applied to In , yield A. (iv) The rows of A are independent as vectors in F n . (v) det(A) = 0.
Groups and Permutations 209
Proof. See [HW], [Nic] or [Z] for a complete derivation of these results.
If A, X ∈ Mn (F ) are such that AX = XA = In , then X is unique and we say that X is the inverse of A and write X = A −1 . If A and B are both invertible matrices, then (AB)−1 = B −1 A −1 . There is a simple algorithm for calculating the inverse of an invertible n × n matrix A. First write A and In side by side to form an n × 2n matrix B = [A In ] . Now apply to B any sequence of elementary row operations that will reduce A to In . The resulting matrix is of the form [In C] where C = A −1 . Our particular interest in this section lies in the set of invertible matrices: We define GLn (F ) = {A ∈ Mn (F ) | A is invertible}. Theorem 3.4.4 GLn (F ) is a group with respect to matrix multiplication. Proof. Clearly In is invertible so that In ∈ GLn (F ), and GLn (F ) is nonempty and has an identity (namely, In ). Let A, B ∈ GLn (F ). Then by the discussion preceding the Theorem, we have that AB is invertible with (AB)−1 = B −1 A −1 . Thus, GLn (F ) is closed under multiplication and we already know that matrix multiplication is associative. Finally, for A ∈ GLn (F ), it is clear that the inverse of A −1 is just A so that A −1 ∈ GLn (F ). Therefore, GLn (F ) is a group. The group GLn (F ) is called the general linear group (over F ). There are many interesting groups associated with GLn (F ). We consider one here and a few others in the exercises. Let Pn (F ) = {A = (aij ) ∈ GLn (F ) | (i) aij = 0 or 1, ∀ i, j, (ii) A has exactly one nonzero entry in each row and column}. Lemma 3.4.5 Let A ∈ Pn (F ). (i) A can be reduced to In by a sequence of row interchanges. (ii) det A = ±1.
210 Introduction to Applied Algebraic Systems
Proof. (i) By the definition of Pn (F ), A has exactly one nonzero entry in the first column in, say, the ith position. Then the first entry in the ith row is 1 and all other entries in the ith row are 0. So, if we interchange the first and ith rows, then we obtain a matrix of the form ⎡
1 ⎢0 ⎢ ⎢ .. ⎣.
0
⎤
··· 0 B
⎥ ⎥ ⎥ ⎦
0 where B ∈ Pn−1 (F ). Repeating the process with B, we obtain the desired result. (ii) This follows immediately from part (i) and Lemma 3.4.2 (iii). Theorem 3.4.6 (i) Pn (F ) is a subgroup of GLn (F ). (ii) |Pn | = n!. Proof. (i) Clearly, In ∈ Pn (F ) and it is easily verified that Pn (F ) is closed under multiplication. Now let A ∈ Pn (F ). Then A can be reduced to In by applying a sequence of row exchanges. Applying these same row exchanges to the matrix [A In ] converts In to A −1 . Consequently, A −1 can be obtained from In by a sequence of row interchanges, and therefore A −1 ∈ Pn (F ). Thus, Pn (F ) is a subgroup of GLn (F ). (ii) If we wish to construct an element of Pn , then we can do it one column at a time. In the first column, we can place a 1 in any of the n positions. This provides n choices. After an entry of 1 has been placed in the first column, the remaining entries in the column must be 0 and the remaining entries in the row of that entry must also be 0. This means that we will have n − 1 choices for the second column, then n − 2 choices for the third column, and so on. Thus we have n(n − 1)(n − 2) · · · 3 · 2 · 1 = n! choices in all.
It turns out that Pn (F ) is not a completely new example of a group at all, but just a familiar group in a different guise.
Groups and Permutations 211
Theorem 3.4.7 Let n ≥ 2 and, for each α ∈ Sn , define Aα = (aij ) ∈ Pn (F ) by
1 0
aij =
if α(j) = i, otherwise.
Then the mapping µ : α → Aα is an isomorphism of Sn onto Pn (F ). Proof. Let α, β ∈ Sn and α = β. Let Aα = (aij ), Aβ = (bij ). Since α = β, there exists an element j (1 ≤ j ≤ n) with α(j) = β(j). Let i = α(j). Then aij = 1,
bij = 0
so that Aα = Aβ . Thus, µ is injective. Since |Sn | = n! = |Pn |, it follows from Lemma 1.1.6 that µ is a bijection. Now let Aα Aβ = C = (cij ). Then, cij = 0 ⇐⇒
aik bkj = 0
k
⇐⇒ ∃ k (necessarily unique) with aik = 0 = bkj ⇐⇒ ∃ k with β(j) = k, α(k) = i ⇐⇒ αβ(j) = i ⇐⇒ (i, j)th entry of Aαβ is nonzero. We also see from the previous calculations that if cij = 0, then there exists some k with cij = aik bkj = 1 · 1 = 1. Thus, C = Aαβ and µ(α)µ(β) = Aα Aβ = C = Aαβ = µ(αβ). Hence, µ is an isomorphism.
Exercises 3.4 1. Let F = Z3 [y]/(1 + y 2 ). Find the inverse of ⎡
y A = ⎣2y 2 in GLn (F ).
1 + 2y 2+y 1+y
⎤ 2 + 2y 2+y ⎦ 2
212 Introduction to Applied Algebraic Systems
2. Let M be the set of matrices A of the form 1 a A= 0 b where b = 0. Show that M is a subgroup of GLn (F ). 3. Show that SLn (F ) = {A ∈ GLn (F ) | det A = 1} is a subgroup of GLn (F ). SLn (F ) is called the special linear group. 4. A matrix A ∈ GLn (F ) is orthogonal if A T = A −1 where, if A is the n × n matrix (aij ), then A T denotes the transpose of A, that is, the matrix (aji ). Show that On (F ) = {A ∈ GLn (F ) | A is orthogonal} is a subgroup of GLn (F ). On (F ) is called the orthogonal group. 5. Let SOn (F ) = {A ∈ On (F ) | det A = 1}. Show that SOn (F ) is a subgroup of On (F ). SOn (F ) is called the special orthogonal group. 6. Show that Dn (F ) = {A ∈ GLn (F ) | A is a diagonal matrix} is a subgroup of GLn (F ). 7. Show that UTn (F ) = {A ∈ GLn (F ) | A is upper triangular} is a subgroup of GLn (F ). 8. Show that the set SUTn (F ) = {A ∈ UTn (F ) | det A = 1} is a subgroup of UTn (F ). 9. Show that SUTn (F ) = {A ∈ SUTn (F ) | aii = 1 for 1 ≤ i ≤ n} is a subgroup of SUTn (F ).
Groups and Permutations 213
10. Let A, B ∈ SUTn (F ). Show that A −1 B −1 AB ∈ SUTn (F ). 11. Show that SO2 (R) consists of all matrices of the form
cos θ − sin θ
sin θ cos θ
with 0 ≤ θ < 2π. 3.5 Even and Odd Permutations
It turns out that there is a very interesting and important division of permutations into two classes that is not at all obvious at first sight. Take F = Q in Theorem 3.4.7. Then by Lemma 3.4.5 (ii), we see that for all α ∈ Sn , det(µ(α)) = ±1 . So let us define α to be even odd
if if
det(µ(α)) = 1, det(µ(α)) = −1.
and the sign of α to be sgn(α) = det(µ(α)) =
1 if α even −1 if α odd
We refer to sgn(α), or to whether α is even or odd, as the parity of α. The parity of permutations is a key ingredient in an alternative definition of the determinant of a square matrix that runs as follows: for any n × n matrix A = (aij ) over a field, det(A) =
sgn(σ )a1σ (1) a2σ (2) · · · anσ (n) .
σ ∈Sn
Of course, in order to adopt this as the definition of the determinant function, one must first show that the parity of a permutation is well-defined. To see that the two definitions of the determinant are indeed equivalent, we refer the interested reader to [HW], [Nic] or [Z]. This is all very well and good, but is there an easier or more direct way of determining whether a permutation is even or odd than calculating first µ(α)
214 Introduction to Applied Algebraic Systems
and then det(µ(α))? Yes there is, as we shall see in Theorem 3.5.3. We require a few preliminary observations. Lemma 3.5.1 (i) is even. (ii) Every transposition is odd. Proof. (i) We have µ( ) = In so that det(µ( )) = det In = 1. (ii) Let α = (ij) ∈ Sn be a transposition. Then ⎡ ⎢ ⎢ ⎢ i th row ⎢ ⎢ ⎢ µ(α) = ⎢ ⎢ th j row ⎢ ⎣
1 0 · · · · · 0
0 1
···
·
·
0
1
1
0
0
0
i th col
j th col
0
⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥. ⎥ ⎥ ⎥ ⎦
1
Hence, µ(α) can be reduced to In by simply interchanging rows i and j. Therefore, det(µ(α)) = −1, so that α is odd.
In the light of Lemma 3.5.1, we will be able to determine the parity of a permutation if we can just express it as a product of transpositions. Lemma 3.5.2 Let X be a finite set. Then every permutation in SX can be written as a product of transpositions. Proof. Let α ∈ SX . By Theorem 3.3.5, we can write α as a product of disjoint cycles—say, α = α1 α2 · · · αk where the αi are disjoint cycles. Therefore, it suffices to show that each αi can be written as a product of 2-cycles. Let αi = (a1 a2 · · · am ).
Groups and Permutations 215
Then αi = (a1 am )(a1 am−1 ) · · · (a1 a3 )(a1 a2 ) as required.
The description of a permutation as a product of 2-cycles is not unique: (1 2 3 4 5) = (15)(14)(13)(12) = (21)(25)(24)(23) = (12)(12) = (12)(34)(34)(12). Theorem 3.5.3 Let α ∈ Sn . Then α is even if and only if α can be written as a product of an even number of transpositions. Proof. By Lemma 3.5.2, α can be expressed as a product of transpositions— say, α = α1 α2 · · · αk where each αi is a transposition. Then µ(α) = µ(α1 α2 · · · αk ) = µ(α1 )µ(α2 ) · · · µ(αk ) so that det(µ(α)) = det(µ(α1 )) · det(µ(α2 )) · · · det(µ(αk )) = (−1) · (−1) · · · (−1) = (−1)k . Thus, α is even if and only if k is even, and the claim follows.
Note that it follows from the proof of Theorem 3.5.3 that if a permutation α ∈ Sn can be written as a product of an even (odd) number of transpositions, then every expression for α as a product of transpositions must have an even (odd) number of transpositions. We denote by An the set of all even permutations in Sn . In light of the next result, An is a subgroup of Sn that is known as the alternating subgroup of Sn .
216 Introduction to Applied Algebraic Systems
Theorem 3.5.4 An is a subgroup of Sn and |An | = 12 |Sn |. Proof. We leave the verification that An is a subgroup for you as an exercise. To see that An contains exactly half the elements, let Bn = Sn \An . In other words, Bn consists of all the odd elements. Let τ be any transposition and let ϕ : α → ατ
(α ∈ Sn ).
Then ϕ(α) = ϕ(β) =⇒ ατ = βτ =⇒ α = β so that ϕ is one-to-one. Since Sn is finite, it follows that ϕ is a permutation of Sn . Now α ∈ An =⇒ ∃ transpositions τ1 , . . . , τ2k with α = τ1 . . . τ2k =⇒ ϕ(α) = ατ = τ1 τ2 . . . τ2k τ ∈ Bn . Similarly, α ∈ Bn ⇒ ∃ transpositions τ1 , . . . , τ2k+1 with α = τ1 . . . τ2k+1 ⇒ ϕ(α) = ατ = τ1 . . . τ2k+1 τ ∈ An . Therefore, ϕ maps An into Bn and Bn into An . Since ϕ is one-to-one, we must have |An | = |Bn | so that |An | = 12 |Sn |. Since S2 = { , (12)}, we have A2 = { }. The situation in S3 is a little more interesting: S3 = { , (12), (13), (23), (123), (132)} where (123) = (13)(12) (132) = (12)(13). Thus, A3 = { , (123), (132)}.
Groups and Permutations 217
Exercises 3.5 1. Show that a k-cycle (k > 1) is even if and only if k is odd. 2. List the elements of (i) S4 , (ii) A4 , as products of disjoint cycles. 3. Find the center of A3 , A4 . 4. Prove that An is a subgroup of Sn . 5. Let α ∈ Sn , β ∈ An . Show that α −1 βα ∈ An . 6. Let α, β ∈ Sn . Show that α −1 β −1 αβ ∈ An . 7. Let a, b, c, d be distinct integers with 1 ≤ a, b, c, d ≤ n. Show that (i) (ab)(ac) = (acb) (ii) (ab)(cd) = (acb)(acd). (iii) Show that, for n ≥ 3, An consists precisely of those permutations that can be written as a product of 3-cycles. 8. Let H be a subgroup of Sn . Show that either H ⊆ An or else |H ∩ An | = 12 |H |. 9. Let n ≥ 2, 1 ≤ a < b ≤ n, and α, β ∈ Sn be the elements α = (1 2),
β = (1 2 3 · · · n).
Establish the following: (i) (a b) = (a a + 1)(a + 1 a + 2) · · · (b − 2 b − 1)(b − 1 b) (b − 1 b − 2)(b − 2 b − 3) · · · (a + 2 a + 1)(a + 1 a). (for i = 1, 2, . . . , n − 2), (ii) β i αβ −i = (1 + i 2 + i) β n−1 αβ −(n−1) = (1 n). (iii) Every element of Sn can be expressed as a product of the permutations α and β.
3.6 Cayley’s Theorem
It is tempting to think of groups of permutations just as nice examples of groups. However, the next result tells us that, in fact, every group is isomorphic to a group of permutations. Thus, the study of groups of permutations is at the very heart of group theory.
218 Introduction to Applied Algebraic Systems
Theorem 3.6.1 (Cayley’s Theorem) Let G be a group. For each a ∈ G, define a mapping ρa : x → ax
(x ∈ G).
(i) ρa ∈ SG . (ii) H = {ρa | a ∈ G} is a subgroup of SG . (iii) The mapping χ : a → ρa
(a ∈ G)
is an isomorphism of G onto H . Proof. (i) For any x, y ∈ G ρa (x) = ρa (y) =⇒ ax = ay =⇒ x = y so that ρa is injective. Also, for any x ∈ G, ρa (a −1 x) = a(a −1 x) = aa −1 x = x which implies that ρa is surjective. Thus, ρa is a bijection of G onto itself—that is, ρa ∈ SG . (ii) Clearly, H = ∅. For any ρa , ρb ∈ SG , we have (ρa ρb )(x) = ρa (ρb (x))
for all x ∈ G
= ρa (bx) = a(bx) = (ab)x = ρab (x)
(3.3)
so that ρa ρb = ρab ∈ H and H is closed. Also, it is straightforward to verify that (ρa )−1 = ρa −1 ∈ H . Thus H is a subgroup of SG . (iii) Let a, b ∈ G. Then χ (a) = χ (b) =⇒ ρa = ρb =⇒ ρa (1) = ρb (1) =⇒ a · 1 = b · 1 =⇒ a = b.
Groups and Permutations 219
Thus, χ is injective. Clearly, χ is surjective so that χ is a bijection. Finally, for all a, b ∈ G, χ (ab) = ρab = ρa ρb
by (3.3)
= χ (a)χ (b). Therefore, χ is an isomorphism as required.
Historically, the first groups to be studied were permutation groups. The idea of axiomatizing groups came later. Cayley’s Theorem shows that our group axioms capture exactly the concept of a group of permutations. To illustrate Cayley’s Theorem: consider Z5 ∗ = {1, 2, 3, 4}. Then 1 2 3 4 ρ1 = = 1 2 3 4
1 ρ2 = 2
1 3
ρ3 =
2 4
3 1
4 3
2 1
3 4
4 2
and so forth. In (Z5 , +), on the other hand, 0 1 2 3 4 = ρ0 = 0 1 2 3 4 ρ1 =
0 1
1 2
2 3
3 4
4 0
and so on. Exercises 3.6 1. (i) Describe the Cayley representation χ of (Z4 , +). (ii) Give an example of a permutation α ∈ SZ4 \ χ(Z4 ). (iii) Find χ(Z4 ) ∩ A4 . 2. (i) Describe the Cayley representation χ of (Z7 ∗ , ·). (ii) Give an example of a permutation α ∈ SZ7 ∗ \ χ(Z7 ∗ ). (iii) Find χ(Z7 ∗ ) ∩ A6 . 3. (i) Describe the Cayley representation χ of S3 . (ii) Give an example of a permutation α ∈ SS3 \ χ(S3 ). (iii) Find χ(S3 ) ∩ A6 .
220 Introduction to Applied Algebraic Systems ∗ 4.
Let χ : G → SG be the Cayley representation of a finite group G, let a ∈ G and χ(a) = ρa . Let ρa be written as a product of disjoint cycles ρa = α1 α2 · · · αm . Establish the following: (i) For all i, 1 ≤ i ≤ m, the length of αi is equal to the order of a. (ii) m = |G|/|a|, the index of α in G.
∗ 5.
Let χ : G → SG be the Cayley representation of a finite group G. Show that χ(G) contains only even permutations if and only if one of the following conditions prevails: (a) Every element of G has odd order. (b) G is not cyclic and 4 divides |G|. (Hint: Use Exercise 4.)
3.7 Lagrange’s Theorem
Let H be a subgroup of a group G. Following a pattern that by now may seem familiar, we define a relation ≡H on G by a ≡H b ⇐⇒ ab −1 ∈ H . Equivalently, a ≡H b ⇐⇒ ab −1 = h, ⇐⇒ a = hb,
for some h ∈ H for some h ∈ H .
Then, for all a, b, c ∈ G, we see that aa −1 = e ∈ H =⇒ a ≡H a a ≡H b =⇒ ab −1 ∈ H =⇒ ba −1 = (ab −1 )−1 ∈ H =⇒ b ≡H a and a ≡H b, b ≡H c =⇒ ab −1 , bc −1 ∈ H =⇒ ac −1 = (ab −1 )(bc −1 ) ∈ H =⇒ a ≡H c. This establishes the first claim in the next result.
Groups and Permutations 221
Lemma 3.7.1 ≡H is an equivalence relation on G. Moreover, if [a] is the class of a ∈ G, then [a] = {ha | h ∈ H }. Proof. It only remains to characterize [a]. We have x ∈ [a] ⇐⇒ a ≡H x ⇐⇒ x ≡H a ⇐⇒ xa −1 ∈ H ⇐⇒ xa −1 = h
for some h ∈ H
⇐⇒ x = ha
for some h ∈ H
so that [a] = {ha | h ∈ H }.
Note that the relation ≡H has a twin or dual relation, as we say, H ≡ that can be defined as follows: a
H
≡ b ⇐⇒ a −1 b ∈ H .
For every result about ≡H there is a dual result for H ≡. It seems fairly natural to define Ha = {ha | h ∈ H }. With this notation, we then have that [a] = the class of a in ≡H = Ha. Any set of the form Ha is called a right coset (of H ). Dually, aH = {ah | h ∈ H } is a left coset (of H ). Of course, if G is commutative, then the left and right cosets are the same: aH = Ha, for all a ∈ G. Note that since the right cosets of H are the classes of the equivalence relation ≡H , they form a partition of the group G. In particular, for any two right cosets Ha, Hb, we either have Ha = Hb
or
Ha ∩ Hb = ∅.
222 Introduction to Applied Algebraic Systems
Let us see what these cosets look like in a specific example. Let G = Z12 and H = 3Z12 . Then the cosets of H are H + 0 = H = {0, 3, 6, 9} H + 1 = {1, 4, 7, 10} H + 2 = {2, 5, 8, 11}. Note that the left and right cosets are the same in this case since G is abelian. Also, H + 1 = H + 4 = H + 7 = H + 10. In other words, it doesn’t matter which element of the coset you use to describe it. Consider another example. We have S3 = { , (12), (13), (23), (123), (132)}. Let α = (12)
and
H = { , α}.
Then H = H H (13) = {(13), (12)(13)} = {(13), (132)} H (23) = {(23), (12)(23)} = {(23), (123)} H (123) = {(123), (12)(123)} = {(123), (23)} = H (23). On the other (left) hand, H = H (13)H = {(13), (13)(12)} = {(13), (123)} (23)H = {(23), (23)(12)} = {(23), (132)} (123)H = {(123), (123)(12)} = {(123), (13)} = (13)H . Note that some of the left cosets are different from their right counterparts. Also note that for any subgroup H of G, the only coset (left or right) of H that is a subgroup of G is H itself. Here are some of the basic properties of cosets:
Groups and Permutations 223
Lemma 3.7.2 Let H be a subgroup of G and a ∈ G. (i) (ii) (iii) (iv) (v) (vi)
a ∈ Ha. Ha = H ⇐⇒ a ∈ H . For a, b ∈ G, either Ha = Hb or Ha ∩ Hb = ∅. Ha = Hb ⇐⇒ ab −1 ∈ H ⇐⇒ ba −1 ∈ H . If G is finite, then |H | = |Ha|. Ha = aH ⇐⇒ H = a −1 Ha.
(Note that a −1 Ha = {a −1 ha | h ∈ H }.) Proof. Parts (i) through (iv) and (vi) are left for you as exercises. (v) Define a mapping ϕ : H → Ha by ϕ(h) = ha
(h ∈ H ).
Then, for h, h ∈ H , ϕ(h) = ϕ(h ) =⇒ ha = h a =⇒ h = h
by cancellation
so that ϕ is injective. Also, for any y ∈ Ha we must have, for some h ∈ H , y = ha = ϕ(h). Thus, ϕ is surjective and therefore a bijection. Note that we have not assumed that G is finite. In other words, we always have a bijection from H to Ha even when G is infinite. When G is finite, so also are H and Ha, and we can conclude that they have the same number of elements. The relationship between the size of a group and the sizes of its subgroups is extremely important. Theorem 3.7.3 (Lagrange’s Theorem) Let H be a subgroup of the finite group G. Then |H | divides |G|. Proof. Let ≡H be the equivalence relation defined on G prior to Lemma 3.7.1. Let a ∈ G. By Lemma 3.7.1, [a] = Ha so that, by Lemma 3.7.2 (v), |[a]| = |Ha| = |H |.
224 Introduction to Applied Algebraic Systems
Thus, every equivalence class of ≡H has the same number of elements. Since these classes partition G, it follows that |G| = number of classes × |H |. Therefore, |H | divides |G|.
(3.4)
Note that from equation (3.4) in the proof of Theorem 3.7.3 we can obtain a formula for the number of ≡H -classes. Indeed, number of right cosets = number of ≡H -classes = |G|/|H |. Dually, substituting left for right, we have number of left cosets = number of
H
≡ -classes
= |G|/|H |. In particular, the numbers of left and right cosets of a given subgroup are the same. This is an important number in calculations involving groups. It is called the index of H in G and is denoted by [G : H ]. We have [G : H ] = |G|/|H |. However, it must be emphasized that although the number of left cosets is the same as the number of right cosets, the actual left and right cosets themselves can be different. Corollary 3.7.4 Let G be a finite group and a ∈ G. Then |a| divides |G|. Proof. We have seen that |a| = |a|. Since a is a subgroup of G, we know from Lagrange’s Theorem that |a| divides |G| and the result follows. Corollary 3.7.5 Let G be a finite group and a ∈ G. Then a |G| = e. Proof. By Corollary 3.7.4, |a| divides |G|. Therefore, by Lemma 3.1.7, a |G| = e. Euler lived in an era preceding the introduction of groups, but it is interesting to see that Euler’s Theorem can be obtained as a simple consequence of Corollary 3.7.5. The size of the group of invertible elements in Zn is just ϕ(n). Hence, by Corollary 3.7.5, for any invertible element [a] in Zn , we must have
Groups and Permutations 225
[a]ϕ(n) = [1]. Since [a] is invertible in Zn if and only if (a, n) = 1, it follows that a ϕ(n) ≡ 1 modn whenever (a, n) = 1, which is precisely Euler’s Theorem. Corollary 3.7.6 Groups of prime order are cyclic. Proof. Let |G| = p, where p is a prime. Let a ∈ G, a = e. Then, 1 < |a|. But by Corollary 3.7.4, |a| divides |G| = p. Therefore, |a| = p. But then |a| = p, so that a must contain all p elements of G. Thus, a = G and G is cyclic. So far we have encountered the following groups of small order: Order
Group
1
{0}
2
Z2
3
Z3
4
Z4 , Z2 × Z2
5
Z5
6
Z6 , S3
7
Z7
We know that the two groups of order 4 are not isomorphic (Exercise 18 in Section 3.2) whereas the two groups of order 6 are not isomorphic since one is commutative and the other is not. By Corollary 3.7.6, we know that we have listed all the groups of orders 2, 3, 5, and 7 (up to isomorphism). By Exercise 8 in Section 3.1 we know that every group of order 4 is isomorphic to one of the two listed. In the exercises for this section we will see that Z6 and S3 are also the only groups of order 6 (up to isomorphism). We conclude this section with another interesting family of groups. A pair of sets (V , E) is called a graph if V is a nonempty set and E is a set with members that are pairs of vertices. The elements of V are called vertices and the elements of E are called edges. An automorphism α of a graph (V , E) is a permutation of V (so that α ∈ SV ), satisfying the condition (u, v) ∈ E =⇒ (α(u), α(v)) ∈ E. It is easy to verify that the set of all automorphisms of a graph (V , E) is a subgroup of SV , called the automorphism group of the graph. When a graph is small, it may be possible to represent it by a diagram. (For example, see Fig. 3.3)
226 Introduction to Applied Algebraic Systems
r
r
.... . ... .... ... .... ... . .... . . .... .. ... .... .... .... ..................................................................................... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . ....................................................................................... . . .... .. . . .... .. .... ... .... .... . . . .... . . . . ... ...
r
r
r
r
r
r
Figure 3.3
Exercises 3.7 1. (i) Find all cosets of the subgroup H = {0, 4, 8} of (Z12 , +). (ii) Are the following pairs of elements related under ≡H ? (a) 3, 7. (b) 5, 11. (c) 6, 9. 2. Are the following pairs of elements related under ≡H where H = A7 in S7 ? (i) (12)(35)(27), (17)(26)(35)(47). (ii) (23)(56), (1 3 5 7 4). (iii) (2 4 6 7), (5 6 4 7 1). 3. Let H = { , (13)} in S3 . (i) (ii) (iii) (iv)
Find all the left cosets of H . Find all the right cosets of H . Describe ≡H completely. Describe H ≡ completely.
4. Repeat Question 3 with H = { , (123), (132)}. 5. Establish parts (i), (ii), (iii), (iv), and (vi) of Lemma 3.7.2. 6. Show that the converse of Corollary 3.7.4 is false, in the sense that the fact that m divides |G| does not imply that G contains an element of order m. (Try S4 .) 7. (i) List all elements of A4 . (ii) List all subgroups of A4 . (There are 10 including { } and A4 .) (iii) Show that the converse of Lagrange’s Theorem is false in A4 in the sense that the fact that m divides |G| does not imply that G contains a subgroup of order m.
Groups and Permutations 227
8. Verify the conclusion of Corollary 3.7.4 for all elements of (i) (Z12 , +) (ii) (Z7 ∗ , ·) (iii) A4 9. Show that D5 has subgroups of all possible orders. 10. Let |G| = p, where p is a prime. Show that every nonidentity element of G has order p. 11. Let |G| = p n , where p is a prime. Show that G has an element of order p. 12. Let |G| = p 2 . Show that either G is cyclic or that a p = e for all a ∈ G. 13. Let H , K be subgroups of a finite group G such that (|H |, |K |) = 1. Show that |H ∩ K | = 1. 14. Let |G| = 35. (i) Show that G has at most 8 subgroups of order 5. (ii) Show that G has at most 5 subgroups of order 7. (iii) Deduce that G has at least one element of order 5 and at least one element of order 7. 15. Use Corollary 3.7.5 to prove Euler’s Theorem. 16. Let H be a subgroup of a group G with |H | = 12 |G|. (i) Show that a ∈ H ⇒ G = H ∪ Ha. (ii) Show that a ∈ H ⇒ H a n = H a n+1 . (iii) Deduce that H contains all elements of odd order. 17. (i) How many 3-cycles are there in A5 ? (ii) How many 5-cycles are there in A5 ? (iii) Use Exercise 16 to show that A5 has no subgroup of order 30. 18. Repeat the argument of Exercise 17 to show that A4 has no subgroup of size 6. In the remaining exercises it is established that Z6 and S3 are indeed the only groups of order 6 (to within isomorphism). First we consider abelian groups. 19. Let G be an abelian group in which every nonidentity element is of order 2. Let a, b, c ∈ G and H = a. Show that if H , Hb, and Hc are all distinct, then so also are H , Hb, Hc, and Hbc. 20. Let G be an abelian group of order 6. Establish the following: (i) Not every nonidentity element is of order 2. (Hint: Exercise 19 might help.) (ii) Not every nonidentity element is of order 3.
228 Introduction to Applied Algebraic Systems
21. Let G be an abelian group of order 6. Establish the following: (i) G contains an element a of order 2 and an element b of order 3. (ii) ab has order 6. (iii) G is isomorphic to Z6 . ∗ 22.
Let G be a nonabelian group of order 6. Show that G must contain an element a of order 3 and an element b of order 2. (Exercise 14 in section 3.1 may be helpful.)
∗ 23.
Let a, b and G be as in Exercise 22, and let H = a. Establish the following. (i) G = H ∪ Hb. (ii) ba ∈ H . (iii) ba = a 2 b (= a −1 b).
∗ 24.
Let a, b, and G be as in Exercise 22. Show that the mapping ϕ : G → S3 defined by ϕ(a i b j ) = (123)i (12)j
(0 ≤ i ≤ 2, 0 ≤ j ≤ 1)
is an isomorphism.
3.8 Orbits
In this section we will take a closer look at how groups of permutations act on various structures. We will assume throughout that X is a nonempty set. Let G be a subgroup of SX and x ∈ X . Then the orbit of x is O(x) = {α(x) | α ∈ G}. If G = { , (12)} ⊆ S3 , then O(1) = {1, 2} O(3) = {3}. Let G be the automorphism group of the graph in Figure 3.4. Then it is clear that O(a) = {a, b, c, d} O(c1 ) = {c1 , c2 , c3 , c4 }. Consider D3 , the group of rotational symmetries of an equilateral triangle, as a group of permutations acting on all points within and on the boundary of the triangle (Fig. 3.5).
Groups and Permutations 229
a ...r.. .
rb
. ... .... ... .... ... . . .... . . .... .... .... ... .... ... ... .... . . . ........................................................................................................................ ..... ..... ... 2 ...... ... 1 ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... 4 ... .........................................................................................................3 ... . . . . . . . . . . . . .... . .. .... . . .... .. . . .... .. . . .... .. . . .... .. . .... . .. .... . . . . .... . . . ..
r
r
d
c
c
c
c
r
r
r
r
c
Figure 3.4
The point O of intersection of the medians (AM1 , BM2 , and CM3 ) constitutes a singleton orbit. Clearly, the three vertices constitute one orbit. The three midpoints of the sides constitute another orbit. Indeed, for every point m on a median, other than O, |O(m)| = 3. Every other orbit intersects each of the smaller triangles in exactly one point and with a different point for each such triangle. Thus we have one orbit of size one: {O} infinitely many orbits of size three: {A, B, C}, {M1 , M2 , M3 }, and so forth infinitely many orbits of size six. Lemma 3.8.1 Let G be a subgroup of SX . Then the relation x ≡ y ⇐⇒ y ∈ O(x) is an equivalence relation on X . Equivalently, {O(x) | x ∈ X } is a partition of X . A
. ........ .......... ... .... ..... . . . ... ... .... ... ..... ...... ... ... ... ... ... . ... . ... ... ... ... . . . ... .. ... . ... . . . ... . . . . . .. ... . . . . ... . . . . . . ... . . . . ... . . ........ . . . . . . . .............. . . . . . 2 ...... ................. 3 . ..... . .. ... . . . . . . . . . ... . . . ........ .. .. ... ........ .. ............... ... ... .............. . . ... ..... ...... ... ... ........ ... ....... ... ... ....... .... ............... ... ... ........ ........ . . ... . . ... . . . . . . . . ........ ... . .... . . . . . . . . . . . . . ........ . .. . . . . . . . . . . . . . . . ........ ...... ... . . . . . . . . . . . . . . . ........ .... . .. ............ . . . . . ........ ... . . ........ . . ........... . . .. .. .......... ......................................................................................................................................................................................
M
M
O
C
M1 Figure 3.5
B
230 Introduction to Applied Algebraic Systems
Proof. Let x, y, z ∈ X . Then x = (x) =⇒ x ≡ x so that ≡ is reflexive. Furthermore, x ≡ y =⇒ y = α(x), for some α ∈ G =⇒ α −1 (y) = α −1 α(x) = (x) = x =⇒ x ∈ O(y) =⇒ y ≡ x. Therefore, ≡ is symmetric. Last, x ≡ y, y ≡ z =⇒ y = α(x), z = β(y) for some α, β ∈ G =⇒ z = β(α(x)) = βα(x) where βα ∈ G =⇒ x ≡ z. Therefore, ≡ is transitive and so ≡ is an equivalence relation.
If G is a subgroup of SX such that there is only one orbit (that is, O(x) = X for all x ∈ X ), then G is said to be a transitive group of permutations. For example, SX is a transitive group of permutations of the set X . In many problems concerning the number of essentially different ways of doing something, we are really counting the number of different orbits of some group acting on some set. Elements in the same orbit are considered to be the same. Example 3.8.2 Suppose that we want to know in how many ways we can color the corners of a square with the colors red (R), white (W ), blue (B), and green (G), where each color is used once. The answer depends on how we view the square. Case A. Suppose that we consider the square as fixed in position like a picture on a wall. If we number the corners 1, 2, 3, and 4, then we will have 4 choices for corner 1 3 choices for corner 2 2 choices for corner 3 1 choice for corner 4 so that we have 4! choices in all. We might call these oriented colorings, since if we turn the square in some way, we consider that we have a new coloring. Case B. Now suppose that the square (Fig. 3.6) can be picked up and turned over or around, so that we lose all record of particular corners. How many recognizably different colorings will there be? Suppose that we start with the coloring on the left as shown in Figure 3.6.
Groups and Permutations 231
R ............................................................................... W
G ............................................................................... R
G
B
.... .... ... ... ... .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . ... ................................................................................
B
.... .... ... ... ... .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . .... ...............................................................................
W
Figure 3.6
By rotating clockwise through 90◦ , we obtain the coloring on the right, which we consider to be essentially the same. Each rotation of the square provides a new coloring that we wish to identify with the first coloring. The same would apply to any other initial coloring. So, what we have here is the group D4 of rotations of the square acting as a group of permutations of the set of oriented colorings of the square—that is, on the 4! = 24 colorings that we considered in Case A. Moreover, we want to identify any two colorings that are in the same orbit. By Lemma 3.8.1, we know that the orbits partition the set of all colorings. Now starting with any particular oriented coloring, each application of D4 gives us a fresh oriented coloring. Thus, each orbit contains |D4 | = 8 elements. Therefore, 24 = (number of orbits) × 8 Hence, the number of orbits is 3. In other words, there are three essentially different ways of coloring the corners of a square, and it is not hard to identify them (Fig. 3.7). Example 3.8.3 As a second example, consider the number of (essentially different) ways of coloring the vertices of a hexagon such that one is white, one is red, and four are green. We begin by calculating the number of oriented colorings with this combination of colors. To obtain such a coloring we must first choose two vertices
R .......................................................................... W
W........................................................................... R
R ............................................................................ B
G
G
G
..... ..... ... ... ... .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . ... ..........................................................................
B
..... ..... ... ... ... .. ... ... ... ... ... ... ... .... .. . .. ... . ... .... ... ... ... ... ... ...........................................................................
Figure 3.7
B
..... ..... ... ... ... .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . ... ..........................................................................
W
232 Introduction to Applied Algebraic Systems W
........... ...... ............ ....... ....... ....... ....... . . . . . ....... ...... ... G ....... ... R ... ... ... ... ... ... ... ... ... ... .. ... . . . . . . G ......... ... G . . . . . ....... .. . . . . . . ....... . ....... ............ ..............
A
G
W
........... ...... ............ ....... ....... ....... ....... . . . . . ....... ...... ... G ....... ... G ... ... ... ... ... ... ... ... ... ... .. ... . . . . . . G ......... ... R . . . . . ....... .. . . . . . . ....... . ....... ............ ..............
B
G
W
........... ...... ............ ....... ....... ....... ....... . . . . . ....... ...... ... G ....... ... G ... ... ... ... ... ... ... ... ... ... .. ... . . . . . . G ......... ... G . . . . . ....... .. . . . . . . ....... . ....... ............ ..............
C
R
Figure 3.8
(to be colored white and red). There are 62 ways of doing that. Then we have two ways of coloring one of them white and the other red. The remaining vertices are colored green. Thus, in total, we have 6 × 2 = 30 2 oriented colorings. Now we consider the number in each orbit under the action of D6 . Every element of D6 gives a different oriented coloring when applied to A. Hence the orbit of A has 12 elements. Likewise, the orbit of B has 12 elements (Fig. 3.8). On the other hand, the orbit of C has only 6 elements. This gives a total of 30. Hence, there are 3 distinct orbits and 3 essentially different colorings, as given by A, B, and C. Exercises 3.8 1. Let G denote the group of invertible elements in Z12 . For each a ∈ G, let ρa denote the mapping of Z12 to Z12 defined by ρa : x → ax
(x ∈ Z12 ).
(i) Show that H = {ρa | a ∈ G} is a subgroup of SZ12 . (ii) Describe the orbits in Z12 under H . 2. Let D4 , the group of rotations of a square act on the vertices, edges, and interior points of a square. Describe the orbits. 3. Let G be the group of rotations of a rectangle (that is not a square), considered as acting on the vertices, edges, and interior points. Describe the orbits. 4. Let G be the group of rotation of a box that has three unequal dimensions, considered as acting on the vertices, edges, sides, and interior points. Describe the orbits.
Groups and Permutations 233
5. Let χ : (Z6 , +) → SZ6 be the Cayley representation of Z6 . Describe the orbits of Z6 under (i) χ(2) (ii) χ(3). 6. Let χ : S3 → SS3 be the Cayley representation of S3 and let α = (1 2). Describe the orbits of S3 under χ (α). 7. Let H be a subgroup of the group G and let χ : G → SG be the Cayley representation of G. Let x, y ∈ G. Show that x and y lie in the same orbit with respect to χ(H ) if and only if Hx = Hy. 8. Determine the number of ways of coloring the vertices of a square so that two are red and two are green. 9. Determine the number of different ways of arranging 6 keys on a key ring. 10. Determine the number of ways of coloring the vertices of a regular n-gon with n different colors. 11. Determine the number of ways of seating n dinner guests around a circular table. 12. Let ABCD be a rectangle with |AB| = |BC|. (i) How many essentially different ways are there to color the corners of the rectangle with 4 different colors? (ii) How many essentially different ways are there to color the corners of the rectangle if 2 are to be colored white, 1 red, and 1 green? 13. A stained glass ornament consists of two concentric circles with two perpendicular diagonals: ...................... ............... ..... ........................ ......... ........ ... ....... ....... . ... . . . . . .... ... .... .... ... .... . .... . ... . . . ... . . . ... ... . . . . . . . . . . . . . . . . . ...... .... ............. ... . . . . . . . . . ...... .... ... . . . . . . . .... ... . . . .. . . . . ... .. .. ..... . ... .. .. ... .. .. .. ... .. . .. .. .... ........................................................................................................................................................... .. . .. . . .. .. . . .. . . . ... ... .. .. .. ... .. ... . . . . . .. . .... ... ... .... .. ...... ... ......... ..... .............. .. ......................... ... ... . . .... . . . ... .... .... .... ... ..... ..... ... ... ....... ...... . . . . ... . ........ . ....... . ........... .......................................................
It has 8 stained glass panels in total. (i) How many essentially different patterns are there if 8 different colors are used?
234 Introduction to Applied Algebraic Systems
(ii) How many essentially different patterns are there if 1 panel is red and 7 are clear? (iii) How many essentially different patterns are there if 2 panels are red and 6 are clear? 14. An equilateral triangle is divided into 6 inner triangles by the 3 medians. Determine the number of essentially different ways to color the 6 inner triangles using (i) 6 different colors (ii) 4 green and 2 red (iii) 3 green and 3 red.
3.9 Orbit/Stabilizer Theorem
In section 3.8 we saw how the action of a group G of permutations on a set X imposes some structure on that set by partitioning it into orbits. We begin this section by reversing the point of view to see that the elements of X are reflected in the structure of G. The stabilizer of x (in G) is S(x) = {α ∈ G | α(x) = x}. For example, if G = S4 , then S(2) = { , (13), (14), (34), (134), (143)} = S{1,3,4} . Let us consider again the rotations of an equilateral triangle as in Figure 3.5. We have a variety of stabilizer groups. Let ρA (respectively, ρB , ρC ) denote the rotation through 180◦ about the axis AM1 (respectively, BM2 , CM3 ). Then, where P is any point that does not lie on a median, S(A) = { , ρA }, S(B) = { , ρB }, S(C) = { , ρC } S(O) = D3 ,
S(P) = { }.
The fact that all these stabilizers turn out to be subgroups is no accident. Lemma 3.9.1 Let G be a subgroup of SX and x ∈ X . Then S(x) is a subgroup of G.
Groups and Permutations 235
Proof. Let α, β ∈ S(x). Then (αβ)(x) = α(β(x)) = α(x) =x
since β ∈ S(x) since α ∈ S(x).
Therefore, αβ ∈ S(x). Also, α −1 (x) = α −1 (α(x)) since α ∈ S(x) = (α −1 α)(x) = (x) = x. Therefore, α −1 ∈ S(x) and S(x) is a subgroup.
The technique used in the previous section to count essentially different colorings requires us at each stage to find a new coloring that is not in any of the orbits previously listed. As the number of orbits increases, this becomes increasingly difficult. However, alternative approaches exist that shift the focus to aspects of the action of each group element. Since the group elements may be fewer in number than the elements of X , this has certain advantages. Theorem 3.9.2 (Orbit/Stabilizer Theorem) Let X be a nonempty set, G be a finite subgroup of SX , and x ∈ X . Then |G| = |O(x)||S(x)|. Proof. Since S(x) is a subgroup of G, we know from Lagrange’s Theorem that |G|/|S(x)| = the number of distinct left cosets of S(x) in G. So it suffices to show that the number of left cosets equals the number of elements in O(x). To this end, define ϕ : {αS(x) | α ∈ G} −→ O(x) by ϕ(αS(x)) = α(x). Our goal is to show that ϕ is a bijection.
236 Introduction to Applied Algebraic Systems
(i) ϕ is well defined. We have αS(x) = βS(x) =⇒ α = βγ for some γ ∈ S(x) =⇒ α(x) = βγ (x) = β(x) since γ ∈ S(x). Therefore, ϕ is well defined. (ii) ϕ is injective. For α, β ∈ G, we have ϕ(αS(x)) = ϕ(βS(x)) =⇒ α(x) = β(x) =⇒ β −1 α(x) = β −1 β(x) = x =⇒ β −1 α ∈ S(x) =⇒ αS(x) = βS(x) which implies that ϕ is injective. (iii) ϕ is surjective. Let y ∈ O(x). Then for some α ∈ G, we have y = α(x). Hence, ϕ(αS(x)) = α(x) = y and ϕ is surjective. From (i), (ii), and (iii), it follows that ϕ is a bijection. Therefore, |O(x)| = number of left cosets of S(x) in G = |G|/|S(x)| which implies that |G| = |O(x)| |S(x)|.
To illustrate the Orbit/Stabilizer Theorem, consider the group D3 of rotations of an equilateral triangle (Fig. 3.5). We have the following: x
| O(x) |
| S(x) |
| O(x) || S(x) |
A M1 O p
3 3 1 6
2 2 6 1
6 6 6 6
The Orbit/Stabilizer Theorem is a great help in determining the size of many groups.
Groups and Permutations 237
v
............................................................................................. . ......... .... ......... ........ .... .......................................................................................... ..... .... ..... ..... ... ... ... ... .. ... ... ... . ... ... ... . ... ... . ..... ... ... .... ... ... ... ... ... ... ... . ... ... ... . ... ........... ....... ....... .......... ....... .......... ... . . . . . . . . . . . . ... . . .. ..... .............. ... ....... .. ........................................................................................
Figure 3.9
Example 3.9.3 Let G denote the group of rotations of a cube. Let v denote any of the vertices (Fig. 3.9). It is not hard to See that O(v) consists of all vertices and that the number of rotations that fix the corner v is 3. Thus, |O(v)| = 8
and
|S(v)| = 3.
Therefore, by the Orbit/Stabilizer Theorem, |G| = |O(v)| |S(v)| =8×3 = 24. Example 3.9.4 Balls used in various sports (for example, basketball, football, or soccer) often display interesting patterns that relate to various rotational groups. Suppose we wished to determine the size of the group G of those rotations of a soccer ball (Fig. 3.10) that respect the pattern of panels. This pattern has 30 vertices, 12 pentagonal faces (shaded black), and 20 hexagonal faces (white). There is more than one way to do this using the Orbit/Stabilizer Theorem. Clearly, every rotation is completely determined by what it does to the vertices. So we can consider the group of rotations as a group of permutations of the vertices. It is not difficult to see that there is just one orbit that contains
... ............................................. ....... ...................................... ........ .... ............................................................................. . . . . ... ......... ... .... .. ............................. ........................ ........ ...................................... ........................................................................................................................................ ......................................... ............................. ............................................... .. .. .................. ........................................ ... . .. .. ... .. ......................................................... ................. .... .................. .... ............................................. ................................................................ ................................................ ........... ...................... ........... ............
Figure 3.10
238 Introduction to Applied Algebraic Systems
q
.. ....... .... ....... .............. . . . ...... ............. ....... ....... ....... .. ....... .... ............ ....... .. ......... ........... ........ . . ...... . . . . . ..... ....... . . .. ... ... ... ... ... ... ... ... ... ... ....... .. ... ....... ......... ......... . . . . . . . . . . . . . . . . . . . . .. ................. .... ... ......... . . . . . . ....... ... ... . . . . . ....... ... . ....... ............ .............. . ............
q
q
q
q
q
q
q q
q
q
q q
q
q
Figure 3.11
all the vertices. It is also easy to see that, for any vertex v, S(v) = { }. Hence, |G| = |O(v)| |S(v)| = |O(v)| = number of vertices = 60. Alternatively, we could focus on the centers of the dark pentagonal faces. Again we have just 1 orbit. However, for any such face f , there will be 5 rotations that map that face to itself. Hence, |G| = |O(f )| |S(f )| = 12 × 5 = 60. A similar calculation can be made relative to the hexagonal faces. Example 3.9.5 Let G be the automorphism group of the graph in (Figure 3.11). Then it is not hard to see that, for any vertex v on the inner hexagon, |O(v)| = 3,
|S(v)| = (63 × 23 ) × 2
so that, by the Orbit/Stabilizer Theorem, |G| = |O(v)||S(v)| = 3 × 6 3 × 23 × 2 = 34 × 27 . It is common to refer to the group of permutations of an object respecting its patterns or shape as the group of symmetries of that object. Thus, here we have been looking at the group of symmetries of a cube, a soccer ball, and a graph.
Groups and Permutations 239 . ......... ... .. ... ... ..... ...... . . . . .... ..... ...... ... .... .. ... .... ... .... . . .... . . . .. . .... . . . . .. . .... . . . . .. . .... . . . . . . . .... . . . . .. .... . . . . . ............... .... .... .... .... .... ....... .... .... .... .... .... .... ............ ....... . . ....... . . ......... . ....... . . . . . . . . . . ....... .... ... ....... ......... ....... ..... ......... ....... .. ................ ..............
Tetrahedron ............ .......... ........................................................... .......... .... .. . .......... ......... ..... ........................................................................................... ..... . ... . ... ..... ... .. ... ... ... ... ... .... ... ... ... .. ... ... . ... ... ... ..... ... ... ... ... .. ...... ... ... . . . . . . . . . . . . ... . . . . ..... .... .... .... ......... . . ... .... .... ... . ... . .. ...... .... ... ................. ....................................................... ............ ............
. ....... .... . ...... .... .... ........ . . . . .. ..... .... .. ..... .. .. ...... .... .. .. ...... .... . . . . . . .. ..... . . . . . . .. . . .. ..... . . . ................... .... .... .... ..... .... .... .... .... .......... .... . ...... . ... .. .............. . .... .......... .. ........................................... .... ..................................................... .. .... .. .... . . .... .... ... . .... .. .... . . . . .... ... .. .. .... ... .... . ..... .... .. ....... ... ...... ...... . ..... ...... ..... ........
Cube
Octahedron
............ .... ................................... ..... ...... .... .. ....... . . . . . .................. ................... ... ... ..................................... ... ...... . . ... .... .... ... ... ... ... .... .... .... .. ... .... ...... .... .... ........ .. ... ... ... ..... .... ...... ... ... . . ... .... . ... .. ....... ..... ........ ..... ... ......... ......... ........ .. ... ... ..... . . . ... .... . . . . . . . .. .. ...... ................ ... ... .. ... ... ................ .... ... ... ............ ... ........................ ...... ... ... .... . . ... .. ... . . . . ... .. .. .... .... . .. .... .... ... .. ..... ..... .... ............ .. ...... ............. . ....... .....................................................
..... ........ ......... ....... .... ............ ....... ...... ..................... . . . . . . .... ......... .... .. .. .... ........ ....... .. ........ .... ....... ..... .......... .... ... . ....... ............................ .... ....... ........ .... .... .................. ..................... ...... ....................................................................................................... .... . . . . . ..... . .. .... .. ... .. ... ...... ... .. ... ... .. ... ... . ... ......... ... ...... .... . . . ... . ... .. .... ... .. .. .. ... ... ... .. .. ... ... ..... .. .... .... ... ... ... .. . .. ... ... ... ..... .. ..... .. .. .. .. ... .. ......... .... .... .... ............ .... ............. ......... ... ... . .... . ........ ......... . ... . . . . . . . . . . . . .... ........ ... ... . ..................................... . . ... ....... ......... ....... ..... .................................................................................... ....... . . .. ...... . . ....... ... . . . . . . . . ....... .. .. ... .......... ......... .. ....... ......... ........... .............
Dodecahedron
Icosahedron Figure 3.12
The regular polyhedra displayed in Figure 3.12 display very interesting symmetries that will be considered in the exercises. Their arrangement in Figure 3.12 is deliberate to indicate the duality that exists among them. If you join the midpoint of each face of the cube, then these line segments form the edges for an octahedron. Dually, if you join the midpoint of each face of the octahedron, then these line segments form the edges of a cube. A similar duality exists between the dodecahedron and the icosahedron. The tetrahedron is self-dual. The 5 regular polyhedra are sometimes referred to as the Platonic solids in honor of the studies of them conducted by the Academy of Plato in Athens. Credit, however, for the proof of the fact that there are exactly five regular polyhedra is usually given to Theaetetus, born 414 b.c. The regular
240 Introduction to Applied Algebraic Systems
polyhedra fascinated the ancient Greek mathematicians. Book XIII of Euclid’s Elements, the last book, is devoted to the study of the regular polyhedra. Exercises 3.9 1. (i) Show that the mapping α : x → 5x
(x ∈ Z12 )
is a permutation of Z12 . (ii) Find the order of G = α. (iii) Find the orbits and stabilizers under the action of G. 2. Repeat Exercise 1 with respect to the mapping α :x →x +8
(x ∈ Z12 ).
3. Let R = Z3 [y]/(y 2 − 1), G = {1, y}, and for each a ∈ G define a mapping ρa : R → R by ρa (f (y)) = af (y). (i) (ii) (iii) (iv)
Show that G is a group with respect to multiplication (in R). Show that H = {ρ1 , ρy } is a subgroup of SR . Find the orbits of the elements of R with respect to H . Find the stabilizers in H of the elements of R.
4. Let R = Z2 [y]/(y 4 − 1), G = {1, y, y 2 , y 3 }, and for each a ∈ G define a mapping ρa : R → R by ρa (f (y)) = af (y). (i) (ii) (iii) (iv) (v)
Show that G is a group with respect to multiplication (in R). Show that H = {ρ1 , ρy , ρy 2 , ρy 3 } is a subgroup of SR . Find the orbits of the elements of R with respect to H . Find the stabilizers in H of the elements of R. Show that the sizes of the orbits and stabilizers conform to the Orbit/Stabilizer Theorem.
5. Describe the orbits and stabilizers for the following shapes under the action of the corresponding group of rotational symmetries: (i) A circle (ii) An isosceles triangle (that is not equilateral) (iii) A square. 6. Determine the order of the group of rotational symmetries for each of the regular polyhedra (Fig. 3.12).
Groups and Permutations 241
7. For each of the following objects, describe each element of the group of rotations as a single rotation: (i) Tetrahedron. (ii) Cube. (iii) Octahedron. 8. Let H be an abelian subgroup of SX . Let x, y ∈ X be such that O(x) = O(y). Show that S(x) = S(y). 9. Let GF(9) = Z3 [y]/(y 2 + 1). Define ϕ : a → a3
(a ∈ GF(9))
(see Exercise 12 in section 3.3). Let H = ϕ be the subgroup of the group of permutations of GF(9) generated by ϕ. Describe the orbits and stabilizers with respect to the action of H on GF(9).
3.10 The Cauchy-Frobenius Theorem
In the coloring problems that we considered in section 3.8, the variations were sufficiently limited that we were able to identify all the orbits by a process of exhaustion. This becomes much harder as the number of orbits increases. In this section we will consider a clever result that enables us to calculate the number of orbits as long as we have a good understanding of how each group element behaves. Let G be a subgroup of SX (X = ∅) and let α ∈ G, x ∈ X . If α(x) = x then we say that α fixes x or that x is fixed by α. The set F (α) = {x ∈ X | α(x) = x} is the fixed set of α. Note that x ∈ F (α) ⇐⇒ α ∈ S(x). Consider the group of rotations of the square { , R = R, R 2 , R 3 , ρ, Rρ, R 2 acting on the vertices, where ρ is taken to be the rotation about the diagonal BD (Fig. 3.13). Then
ρ, R 3 ρ}
F ( ) = {A, B, C, D} F (R) = F (R 2 ) = F (R 3 ) = ∅ F (ρ) = {B, D}.
242 Introduction to Applied Algebraic Systems .... . ... ... ....... 1 .... ..... .. ......... . .... ................. .... . . . . . .... .. .... A ............................................................................................. B .. ... ... . . . ... .... .... . ..... . ... ... ... .... ... .... ........ . . ... ... ... . . . . ........ ........ ........ ........... ........ ............. ........ ........ ............ ............ ........ . . . . ................... . . ..... .... ... ..... ... .. ..... . .. ... . .... ..... .... . . . . ... .... . .... .... .. ............................................................................... C .... ... D..... ... ..... ... ... ....... . . . . . . . ....... ............. 2 ............................ 1 .............. .. . . . .... . .... .. ...
σ
.... .
σ2
ρ
ρ
Figure 3.13
We already know from the Orbit/Stabilizer Theorem that there is a strong link between the sizes of the orbits and the stabilizers. The next result gives a connection between the stabilizers and the fixed sets. Lemma 3.10.1 Let X be a finite nonempty set and G be a subgroup of SX . Then
|F (α)| =
α∈G
|S(x)|.
x∈X
Proof. Consider the following array, where the top row lists the elements of X and the first column lists the elements of G: G\X α1 .. . αi .. . αm
x1
···
xj
···
xn
F (αi )
S(x1 )
S(xj )
F (α1 )
S(xn )
F (αm )
Now imagine that a check mark () is placed in the box in row αi and column xj if and only if αi (xj ) = xj . The number of check marks in the αi row is just the number of x ∈ X for which αi (x) = x—that is, |F (αi )|. Thus, the total number of check marks is |F (α)|. (3.5) α∈G
On the other hand, the number of check marks in the x column is just the number of α ∈ G with α(x) = x—that is, |S(x)|. Thus, the total number of
Groups and Permutations 243
check marks must be
|S(x)| .
(3.6)
x∈X
Since both expressions (3.5) and (3.6) represent the total number of check marks in the array, they must be equal. The next theorem is often referred to as Burnside’s Lemma. For an interesting article on the history of the naming and misnaming of this result, see [Neu]. Theorem 3.10.2 (Cauchy-Frobenius Theorem) Let X be a finite nonempty set and G be a subgroup of SX . Let N denote the number of different orbits of G. Then N =
1 |F (α)|. |G| α∈G
Proof. Let the orbits be O1 = {a1 , . . . , am } O2 = {b1 , . . . , bn } .. . ON = . . . .
Each element of X appears in one and only one orbit. Then, by the Orbit/Stabilizer Theorem,
|S(a1 )| + · · · + |S(am )| =
|G| |G| = |G| + ··· + m m m
|G| |G| = |G| + ··· + |S(b1 )| + · · · + |S(bn )| = n n ··· ··· ··· summing all these equations, we obtain
|S(x)| = |G|N .
x∈X
By Lemma 3.10.1, we have |G| N = as required.
α∈G
|F (α)|. Hence, N =
1 |G|
α∈G
|F (α)|,
244 Introduction to Applied Algebraic Systems
To see how the concept of a fixed set works with colorings, consider the essentially different ways of coloring the vertices of a square with 1 white, 1 red, and 2 blue. To find the number of different oriented colorings, we see that we just have to pick one vertex to be white and then one to be red. Thus the total number of possibilities is 4 3 · = 4 × 3 = 12. 1 1 Again, we consider two coloring to be essentially the same if one is derived from the other by applying a rotation—that is, an element from D4 = { , R, R 2 , R 3 , ρ1 , ρ2 , σ1 , σ2 } where R is a rotation through 90◦ about an axis perpendicular to the page, ρ1 and ρ2 are rotations about axes through AC and BD (in Fig. 3.13), respectively, and σ1 and σ2 are rotations about axes through the midpoints of the sides AB and BC (Fig. 3.13), respectively. Any coloring in our set has only one vertex colored white. Applying any power of R (other than ) to this coloring will move the white to a different vertex and so give a different oriented coloring. Thus, no oriented coloring is left fixed and F (R i ) = ∅ for i = 1, 2, 3. The same argument applies to both σ1 and σ2 . However, the ρi ’s are a bit different since ρ1 , for instance, will not move the colors assigned to the vertices A and C. Hence, ρ1 will leave the following colorings fixed: W................................................................................ B
R .................................................................................. B
B
B
.... .... ... ... .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . .............................................................................
R
.... .... ... ... .. ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . ..............................................................................
W
and it is not difficult to see that these are the only colorings left fixed by ρ1 . Thus, |F (ρ1 )| = 2. Similarly, |F (ρ2 )| = 2. Last, it is evident that the identity fixes all the colorings. Summarizing, we have A
|F (α)|
∈ Ri ρi σi
12 0 2 0.
Groups and Permutations 245
Now to say that two oriented colorings are essentially the same is equivalent to saying that they lie in the same orbit. Thus, to find the number of essentially different colorings, what we want to do is find the number of distinct orbits. This is precisely what the Cauchy-Frobenius Theorem will do for us. Applying the formula from the Cauchy-Frobenius Theorem, we conclude that the number of orbits is 1 N = (12 + 0 + 0 + 0 + 2 + 2 + 0 + 0) 8 =
16 = 2. 8
Thus there are only two essentially different colorings in this case and they are easily identified: Either the red and white vertices are adjacent or they are opposite to each other. Well, the answer is so simple in this case that we did not really need the Cauchy-Frobenius Theorem to solve it. However, it enabled us to illustrate the concepts before considering more challenging examples. Example 3.10.3 How many ways are there to color the 6 faces of a cube in such a way that 2 are red and 4 are white? The group of rotations of the cube has elements of the following types: 1 6 3 8 6
identity . rotations R through 90◦ or 270◦ about axes through the centers of the opposite faces. rotations S through 180◦ about axes through the centers of opposite faces. rotations ρ about axes through opposite corners. rotations σ about axes through midpoints of opposite edges.
This gives us the required total of 24 rotations. The number of oriented colorings 6 is just the number of ways of choosing 2 faces to color red—that is, 2 = 15. With a little thought we can calculate the sizes of the fixed sets as follows: α
|F (α)|
R S ρ σ
15 1 3 0 3.
246 Introduction to Applied Algebraic Systems
By the Cauchy-Frobenius Theorem, the number of orbits is 1 (15 + 6 × 1 + 3 × 3 + 8 × 0 + 6 × 3) 24 1 × 48 = 2 . = 24
N =
Thus, the number of essentially different colorings is 2. Example 3.10.4 Consider the number of ways of coloring the faces of a cube with 6 different colors. For this we think of the group of rotations of the cube as acting on the faces. The total number of oriented colorings is 6!. Then, |F ( )| = 6! whereas, for any α ∈ G, α = , |F (α)| = ∅. By the Cauchy-Frobenius Theorem, we have that the number of orbits =
1 |F (α)| |G| α∈G
1 = (6! + 0 + 0 + · · · + 0) 24 =
6! = 30. 24
Example 3.10.5 How many ways are there to color the triangular faces of an icosahedron using 20 distinct colors? An icosahedron has 20 triangular faces 30 edges 12 vertices. By the Orbit/Stabilizer Theorem, we see that the size of the group G of rotations is 20 × 3 = 30 × 2 = 12 × 5 = 60. The number of oriented colorings is 20!. We apply the Cauchy-Frobenius Theorem. We have |F ( )| = 20!
Groups and Permutations 247
whereas for any other α ∈ G, F (α) = ∅ so that |F (α)| = 0. Hence the number of orbits is N =
1 F (α) |G| α∈G
1 = (20! + 0 + 0 + · · · + 0) 60 =
20! . 60
Colorings are really just a device used by mathematicians to model some varying pattern of characteristics that might be present at different points of an “object” of some sort. The next example helps to illustrate this idea. Example 3.10.6 Benzene is a chemical compound, each molecule of which is made up of six carbon atoms and six hydrogen atoms. The carbon atoms are arranged in a hexagon and each carbon atom is bonded to a single hydrogen atom (Fig. 3.14). Related chemicals can be derived from benzene by replacing one or more of the hydrogen atoms by a cluster involving one new carbon atom and three new hydrogen atoms (Fig. 3.15). Let us find the number of chemical derivatives that can be obtained from benzene by replacing three of the hydrogen atoms by CH3 clusters. It is not difficult to see that this problem is really a coloring problem in a different guise—namely, how many essentially different ways are there to color the vertices of a hexagon if three of the vertices are to be colored blue (≡ a carbon atom is attached) and three of the vertices are to be colored green (≡ a hydrogen atom is to be attached)? H.r ...
.... ... .. ... ... . ........ . . . .... ... . . .... ... .... .... .... ... .... . ........... . . .... .. ......... ........... . . . .... ..................... ........... ..... ...... .... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . . . . . . . . . . . . . . . . . . .................... .... ...... . . . . . . . . . . . . . ........... . . .. .... .. . . ... . ........... . ..... ... ..... ..... . . .... . ..... ...... ..... .... ..... ... ... ... ... ... ... .
rC
Hr
Hr
r
r
C
rC
rH
C
rC
r
C
r H
Figure 3.14
rH
248 Introduction to Applied Algebraic Systems
H
.... .... .... .... .... ................................................. . ... .... . . . . . . ...
r C
Hr
............. ................. ....................... ....................................
-
... .... ... .... ... .... ... .... ... .... . ....................................................................... . . .. . . ..... . . . ... . ... ... .... .. ..
r C
r
C
H
H Figure 3.15
Taking into account orientation, the number of possibilities would just be the number of ways of choosing three hydrogen atoms for replacement from six possibilities—in other words, 63 = 20. However, those that are related by a rotational symmetry clearly correspond to the same derivative chemical. So, we wish to determine the group of rotational symmetries. Since we are thinking of benzene and its derivatives as molecules in R3 , the appropriate group of rotations is clearly D6 , which we may describe as D6 = { , R, R 2 , R 3 , R 4 , R 5 , ρ1 , ρ2 , ρ3 , σ1 , σ2 , σ3 } where R denotes the rotation clockwise through 60◦ about an axis through the center and perpendicular to the page, each ρi is a rotation about an axis through opposite vertices, and each σi is a rotation about an axis through the midpoints of a pair of opposite sides. For the current calculation, however, we are thinking of D6 as acting on all the different oriented colorings of the vertices with three vertices colored blue and three vertices colored green. The number of oriented colorings is, as we saw earlier, just 20. It is then straightforward to calculate the sizes of the various fixed sets: α R, R 5 R2, R4 R3 ρi σi
|F (α)| 20 0 2 0 4 0.
By the Cauchy-Frobenius Theorem, the number of orbits is (omitting zeros) N = =
1 {20 + 2 + 2 + 4 + 4 + 4} 12 36 = 3. 12
Groups and Permutations 249
Thus, we might expect that there would be three different chemicals derivable from benzene in this way. This is indeed the case: they are 1,2,3Trimethylbenzene, 1,2,4-Trimethylbenzene and 1,3,5-Trimethylbenzene (see [Var]). Exercises 3.10 1. Determine the number of ways of coloring the vertices of a pentagon in each of the following ways: (i) With five distinct colors. (ii) Two are red and three are white. (iii) Two are red, two are white, and one is blue. 2. Find the number of ways of coloring the vertices of a septagon in each of the following combinations: (i) Three red and four white. (ii) One red, two white, and four blue. (iii) One red, three white, and three blue. 3. Find the number of ways of coloring the vertices of an octagon in each of the following combinations: (i) Four red and four white. (ii) Six red and two white. (iii) Two red, two white, and four blue. 4. A jeweller is making colored glass pendants by dividing an equilateral triangle into six small triangles using the medians. How many different designs can he make if (i) four panels are red and two are blue (ii) two panels are red, two are white, and two are blue? 5. Find the number of ways of coloring the vertices of a tetrahedron in the following combinations: (i) One red and three white. (ii) Two red and two white. 6. Find the number of ways of coloring the edges of a tetrahedron in the following combinations: (i) Three red and three white. (ii) Two red and four white. 7. Find the number of ways of arranging three large (identical) pearls and six small (identical) pearls loosely on a necklace. 8. Find the number of derivatives of benzene obtained by replacing two of the hydrogen atoms by CH3 .
250 Introduction to Applied Algebraic Systems
9. How many different chemicals can be obtained by replacing two of the hydrogen atoms (H) in the following organic molecule (propane) by CH3 H H H | | | H—C—C—C—H | | | H H H where equivalence is taken with respect to the group that acts on the molecule as if it were a graph with vertices colored C and H , with three of the H vertices to be replaced by CH3 . 10. Repeat Exercise 9 but this time replace three of the hydrogen atoms.
3.11 K-Colorings
In the preceding sections we have been considering the number of different colorings where the number of times that each color is used is specified (two of this color, three of that color, . . . ). In this and the next section, we consider a slightly different situation in which the number of available colors is specified, but there is no restriction on the number of times that each is used. Let X be a nonempty set where |X | = n. Let K be a set of “colors”, |K | > 1. Then, any mapping γ : X → K is called a K -coloring. We let C denote the set of all possible K -colorings. Since we do not lose anything and since there is no loss in generality in doing so, we think of K as just a set of integers {1, 2, . . . , k} where k = |K |. An important point to note is that a K -coloring may not actually use all k colors of K and some colors may be used many times. At the extreme, a coloring might only use one color. Lemma 3.11.1 |C| = k n . Proof. For each element of X we have k possible colors. Therefore, the total number of possibilities is n · · · × k = k . k × k ×
n times
As before, if one coloring is obtained from another under the action of certain permutations (such as rotations), we may want to consider them to be equivalent. So our next step is to be a bit more precise regarding how permutations of the set X determine permutations of the set C of colorings.
Groups and Permutations 251
α
............................................................................................... .................................. ..................... ...................... ................. .................. ............... ............... . ............. . . . . . . . . . . . ............ ..... . . . . . . . . . . . . . . . . . . ........... . . ......... .... . . . . . . . . . .......... . . . . ....... .. ......... ........ . . . ....... . ........... ......................................................................................................... . . . . . ....... .. . .............. . . ..... ..... ....... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..................................................................... . . . . . . . . . . . . ... ... ....... . . . . . . ... ... . . .... . ....... . .. . . . . ... ... . ... ....... .. ....... ... ... ..... ... ..... .. .... . . . . . . ... ... . ... ....... . .. .. . . . . . . . ...................................................... . . . . ... . ... ....... . ............................................................. .. . . . . . .... ..... ... . . ... .... ...................................................... . .. .... ... .. .. A ... . . . . B ... B ... A . . . ... ... . ... . . . ...... . . . ... . . . . . . . . ... . ... . . ... ... . . ... . B ... ... .A . ... .. .. . . . . . . ... . . . . ... ... ... . . ... . . . . . . .... . . . . . . . . . . ... . . ... . ... . . ... . . ... . ..... . . ... . . . . . . . . . . . . . . ... . . ... . ... . ... . . ... . . . . .....D . C... ..... . . . . . . . . D . ......C . . . . . ... . . ... ....... . .............................................. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... ... . ... ....... C .... . ....D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... . . . ... ... . ... ... . . . . . ....... . . . . . ... ... . ... ... . . . ....... . . ... . ... . ... . ....... . . . . ... . ... ... . ....... . . . . . .. . ... ... . ....... . .. . . ....... ... . . ... . ..................................................................................................................... . . ....... . .................................................................................................... . . .. ....... . . ....... .... ....... ... ....
R
R
W
W
Y
R
G
W
Y
Y G Transparency
G
Figure 3.16
Lemma 3.11.2 Each element α ∈ SX determines a permutation+ α of C as follows: For every γ ∈ C, (+ α (γ ))(x) = γ (α −1 (x))
(x ∈ X ).
Proof. Clearly, + α (γ ) ∈ C so that + α is a mapping of C to itself. Also, for γ , γ ∈ C. + α (γ ) = + α (γ ) =⇒ γ (α −1 (x)) = γ (α −1 (x))
=⇒ γ (y) = γ (y) =⇒ γ = γ
(x ∈ X )
(y ∈ X )
Hence, + α is injective. Since C is finite, it follows that + α is bijective and therefore a permutation of C. A useful way to visualize the action of + α is as follows. Suppose that we are examining the colorings of the vertices of a square and suppose that α is the rotation through 90◦ in a clockwise direction. Let κ be a coloring. Place a transparency over the drawing. Now color the vertices (according to κ), but on the transparency. We will now obtain the coloring α(κ) by rotating the transparency 90◦ in the clockwise direction. Theorem 3.11.3 Let X be a nonempty set with |X | ≥ 2. The mapping θ : α →+ α
(α ∈ SX )
is an isomorphism of SX onto a subgroup of SC . Proof. By Lemma 3.11.2, θ maps SX into SC .
252 Introduction to Applied Algebraic Systems
Let α, β ∈ SX . Then, for all γ ∈ C, (θ(αβ)(γ ))(x) = γ ((αβ)−1 (x))
for all x ∈ X
= γ (β −1 α −1 (x)) = γ (β −1 (α −1 (x)) = (θ (β)(γ ))(α −1 (x)) = θ (α)(θ (β)(γ ))(x) = ((θ (α)θ (β))(γ ))(x). Therefore, θ(αβ)(γ ) = (θ (α)θ (β))(γ ), for all γ ∈ C, which implies that θ (αβ) = θ(α)θ(β). Hence, θ is a homomorphism. Let + SX = θ(SX ). Then + SX is a subgroup of SC (see Exercise 6 in this SX . It remains to section 3.11) and θ is a surjective homomorphism of SX to + show that θ is injective. Let α, β ∈ SX and α = β. Then α −1 = β −1 so that there exists an element x in X with α −1 (x) = β −1 (x). Let γ be any coloring with γ (α −1 (x)) = γ (β −1 (x)). Then (θ(α)(γ ))(x) = γ (α −1 (x)) = γ (β −1 (x)) = (θ (β)(γ ))(x) so that θ(α)(γ ) = θ(β)(γ ) from which it follows that θ(α) = θ(β). Therefore, SX . θ is injective and an isomorphism of SX onto + Now let G be a subgroup of SX . We will say that two colorings γ1 , γ2 of X are G-equivalent if + α (γ1 ) = γ2 for some α ∈ G. For instance, if we were interested in colorings of the faces of a duodecahedron, it would be natural to consider two such colorings as equivalent if they are equivalent with respect to the group of rotations of the duodecahedron. When dealing with colorings associated with figures (vertices of a hexagon, faces of a tetrahedron, and so forth) we will assume that G is the group of rotations. Of course, what we will normally wish to find is the number of “inequivalent” colorings. This really means the number of orbits under the action of + = {+ G α | α ∈ G}. When studying groups acting on sets, a concept that turns out to be quite helpful is that of faithfulness. Let G be a subgroup of SX and O be an orbit of
Groups and Permutations 253
X under the action of G. Then we say that G acts faithfully on O if it satisfies the following condition: ∀ α, β ∈ G ∃ x ∈ O
such that
α(x) = β(x).
For example, if G is the group of rotations of a cube, then it acts faithfully on the orbit consisting of the corners, the orbit consisting of the centers of the faces, and many other orbits. However, every element of G fixes the center of the cube, and so G does not act faithfully on the orbit consisting of the center. Exercises 3.11 1. Let K = { red, white }, C be the set of K -colorings of the vertices of an isosceles triangle T , and G be the group of rotations of T . (i) List the elements of C. + (ii) Determine the orbits of C under G. 2. Let K = { red, white }, C be the set of K -colorings of the vertices of an equilateral triangle T , and G be the group of rotations of T . (i) List the elements of C. + (ii) Determine the orbits of C under G. (iii) Find an orbit on which G acts faithfully. 3. Let K = { red, white }, C be the set of K -colorings of a square S, and G be the group of rotations of S. (i) (ii) (iii) (iv) ∗ 4.
List the elements of C. + Determine the orbits of C under G. + Find an orbit on which G acts faithfully. Find a nontrivial orbit (in other words, with two or more elements) + does not act faithfully. on which G
Let |K | ≥ 2, C denote the set of K -colorings of a set X , G be a subgroup of SX , and X consist of just one orbit under the action of G. Show that + on which G + acts faithfully. there exists an orbit of C under G
5. Let G = D9 , the group of rotations of a regular 9-gon P with vertices V (P) = {1, 2, . . . , 9}. Let K = {R, W , B} and γ be the coloring of V (P) such that γ (1) = γ (4) = γ (7) = R γ (2) = γ (5) = γ (8) = W γ (3) = γ (6) = γ (9) = B.
254 Introduction to Applied Algebraic Systems
Establish the following: + has three elements—say, γ = γ1 , γ2 , (i) The orbit O of X under G and γ3 . + does not act faithfully on O. (ii) G + on O is that of the full permutation group S3 . (iii) The action of G 6. Let θ be defined as in Theorem 3.11.3. Show that θ(SX ) is a subgroup of SC .
3.12 Cycle Index and Enumeration
In this final section of this chapter we consider a way of enumerating the number of essentially different K -colorings of sets. Suppose that G is a group of permutation of a set X and that we wish to calculate the number of K colorings. Let g ∈ G. Then a coloring is fixed by g if and only if every element in every cycle of g has the same color, though different cycles could have different colors. So, if g has c(g ) cycles, then the number of K -colorings left fixed by g is just |K |c(g ) . By the Cauchy-Frobenius Theorem, the number of different orbits in the set of all colorings must then be: 1 |K |c(g ) |G| g ∈G
We will spell this argument in a little more detail by introducing an important concept concerning the pattern of cycles in permutations of finite sets. Let |X | = n and α ∈ SX be written as a product of disjoint cycles: α = α1 α2 . . . αk . The cycle pattern of α is then 1r1 2r2 · · · n rn where α has r1 cycles of length 1, r2 cycles of length 2, . . . , rn cycles of length n. Note that 1 · r 1 + 2 · r 2 + · · · + n · rn = n since every element of X appears in exactly one cycle of α. For example, the cycle pattern of α = (1 3 5 7)(2 6 8 12)(4 9 10)(11 13)(14 15)(16)(17)(18)
Groups and Permutations 255
as an element of S18 is 13 22 31 42 . We now encode the cycle pattern of a permutation in a polynomial. For any α ∈ Sn with cycle pattern 1r1 2r2 . . . n rn where r1 + 2r2 + · · · + nrn = n we define the cycle index of α to be CIα (x1 , x2 , . . . , xn ) = x1 r1 x2 r2 . . . xn rn . For example, in S10 , we have the following: α
cycle pattern
CIα
110
x1 10
(1)(23)(45)(6789)(10)
12 22 4
x1 2 x2 2 x4
(123)(456)(789 10)
32 4
x3 2 x4
We now define the cycle index of G to be the polynomial CIG (x1 , x2 , . . . , xn ) =
1 CIα (x1 , . . . , xn ) |G| α∈G
=
1 c(r1 , r2 , . . . , rn )x r1 x r2 · · · x rn |G|
where c(r1 , . . . , rn ) is the number of permutations in G with cycle pattern 1r1 2r2 · · · n rn , and the summation runs over all vectors (r1 , r2 , . . . , rn ) such that r1 + 2r2 + · · · + nrn = n.
256 Introduction to Applied Algebraic Systems
Example 3.12.1 Let α = (1 2 3 4) ∈ S4 and G = α. Then G = { , α, α 2 , α 3 } and we have element
cycle pattern
CIα
α α2 α3
14 41 22 41
x1 4 x4 1 x2 2 x4 1 .
Hence, 1 CIG = (x1 4 + x2 2 + 2x4 ). 4 Example 3.12.2 Consider the cycle index for D4 acting on the vertices of a square. As before, we have D4 = { , R, R 2 , R 3 , ρ, Rρ, R 2 ρ, R 3 ρ}, where ρ is a rotation about a diagonal. α
cyclic pattern
CIα
R, R 3 R2 ρ Rρ R2ρ R3ρ
14
x1 4 x4 1 x2 2 x1 2 x2 x2 2 x1 2 x2 x2 2
41 22 12 2 22 12 2 22
Therefore, 1 CIG = (x1 4 + 2x1 2 x2 + 3x2 2 + 2x4 ). 8 It is important to notice that the cycle index of a group depends very much on the set as well as the group. See Exercise 2 in this section. There are some helpful observations regarding the cycle index of a group. (1) If G ⊆ Sn , then there is a term
1 n |G| x1 .
(2) The sum of the coefficients must add up to 1. (3) For each term x1 r1 x2 r2 . . . xn rn , we must have r1 + 2r2 + 3r3 + · · · + nrn = n.
Groups and Permutations 257
(4) If α is written as a product of disjoint cycles and CIα = x1 r1 . . . xnrn , then r1 + r2 + · · · + rn = number of cycles in α. (5) α and α −1 have the same cycle pattern. (6) It is possible to calculate the cycle index of a group without having the full multiplication table written out. In the next result we will see that there is an important connection between the cycle index of a group of permutations and certain kinds of counting problems. This is a very special case of a more general theory developed by G. Pólya. Theorem 3.12.3 (Pólya’s Theorem) Let G be a subgroup of SX and K be a set of k colors. Then the number of G-inequivalent K -colorings of X is CIG (k, k, . . . , k). Proof. As noted earlier, let C denote the set of all orientied colorings using some or all of the k colors. From the preceding section, we see that we wish + By the Cauchyto calculate the number N of orbits under the action of G. Frobenius Theorem, we have N =
1 |F (+ α )|. + |G| + + α ∈G
+ = |G| so that the challenge is to calculate |F (+ By Lemma 3.11.3, |G| α )| for each α ∈ G. Let the cycle decomposition of α be α = (x1 x2 . . . x )(y1 y2 . . . ym ) . . . and let γ ∈ F (+ α ). Then α (γ ))(x2 ) γ (x1 ) = γ (α −1 (x2 )) = (+ = γ (x2 ). Similarly, γ (x2 ) = γ (x3 ) = · · · = γ (x ) and γ (y1 ) = γ (y2 ) = · · · = γ (ym )
258 Introduction to Applied Algebraic Systems
and so on. Thus we see that γ ∈ F (+ α ) ⇐⇒ γ assigns the same color to all the elements within each cycle of α. Therefore, the number of elements in F (+ α ) is equal to the number of ways of assigning colors to the different cycles of α. If CIα (x1 , . . . , xn ) = x1 r1 . . . xn rn then this will be k r1 . . . k rn = CIα (k, k, . . . , k). Thus, |F (+ α )| = CIα (k, k, . . . , k) so the number of inequivalent colorings is N =
1 1 |F (+ α )| = CIα (k, k, . . . , k) = CIG (k, k, . . . , k). + |G| |G| α∈G
+ + α ∈G
Example 3.12.4 Let us consider the number of ways of coloring the faces of a tetrahedron. By an application of the Orbit/Stabilizer Theorem, we see that the group G of rotations of a tetrahedron has 12 elements. The nonidentity elements can be described as follows: Two rotations of order 3 about each vertex One rotation of order 2 about bisectors of opposite edges α
cycle pattern
CIα
14
x1 4
rotation about vertex
1·3
x1 x3
rotation about bisector
22
x2 2
Therefore, CIG (x1 , x2 , x3 ) =
1 (x1 4 + 3x2 2 + 8x1 x3 ). 12
Groups and Permutations 259
Hence, we have number of colors available 2 3 4
number of colorings CIG (k, k, k) 5 15 36
Example 3.12.5 Consider the number of inequivalent ways of coloring the six faces of a cube if six colors are available. For the group G of rotations of a cube we have α
number of such elements
CIα
1
x1 6
rotation about diagonal through opposite vertices
8
x3 2
rotation about axes through centers of opposite faces by 90◦ or 270◦
6
x1 2 x4
rotation about axes through centers of opposite faces by 180◦
3
x1 2 x2 2
rotation about axes through midpoints of opposite sides
6
x2 3
Therefore, CIG =
1 (x1 6 + 6x2 3 + 8x3 2 + 6x1 2 x4 + 3x1 2 x2 2 ) 24
so that the number of inequivalent colorings is CIG (6, 6, 6, 6, 6, 6) = 2226. Of course, most of the hard work is in finding the cycle index for G. Once we have that, it is just a matter of substituting in the number of available colors. So if the number of available colors was five or seven instead of six, then the answers would be given by CIG (5, 5, 5, 5, 5) = 800 CIG (7, 7, 7, 7, 7) = 5390
260 Introduction to Applied Algebraic Systems
r
r
.... .... .... .... .... ... ............................................... . . .... .... .... .... .... .... .... .................... .............. ... .... ... . .... . .. . .... . .... .... ... ................................................ ... .... . . . . .... ....
r
r
r r
r r
r
r
r
r
Figure 3.17
We conclude this section with an example that is a bit more complicated and that illustrates the application of both the Cauchy-Frobenius Theorem and the cycle index. Example 3.12.6 (1) How many essentially different ways are there to color the vertices in the graph in Figure 3.17 in such a way that six vertices are colored red and six vertices are colored white? (2) How many essentially different ways are there to color the vertices of the graph in Figure 3.17 if two, three, or four colors are available? 12 The number of oriented colorings is 6 . Let R denote the rotation through 60◦ in a clockwise direction, ρ a rotation through 180◦ about a diagonal through opposite vertices, and σ a rotation through 180◦ about a diagonal bisecting opposite sides. Now has 12 cycles of length 1 R, R −1 have 2 cycles of length 6 R 2 , R 4 = R −2 , have 4 cycles of length 3 R 3 has 6 cycles of length 2 The 3 ρ’s have 4 cycles of length 2, 4 of length 1 The 3 σ ’s have 6 cycles of length 2. From the cycle pattern of each element, it is fairly straightforward to determine the size of the fixed set. For example, if γ is a coloring that is fixed by R, then the elements in a given cycle must all have the same color. So it is really just a matter of deciding which cycle is red and there are two choices. Therefore, |F (R)| = 2. The trickiest case is for a ρ. Since within a cycle we must have the same color, the options are of three types color 1 1. 2.
3 cycles of length 2
2 cycles of length 2 2 cycles of length 1 3. Reverse of 1
color 2 1 cycle of length 2 4 cycles of length 1 2 cycles of length 2 2 cycles of length 1
Groups and Permutations 261
It suffices to count the number of ways of choosing which vertices to color red: Option 1: There are 43 ways of choosing 3 cycles of length 2. Option 2: There are 42 × 42 ways of choosing 2 cycles of length 2 and 2 cycles of length 1. Option 3: There are 41 ways of choosing 1 cycle of length 2. Hence, |F (ρ)| =
2 4 4 4 + . + 1 3 2
We can now tabulate the sizes of the fixed sets: α
|F (α)| 12
R, R −1 R2, R4 R3 3 ρ’s
total 924 4 12
6
2
4 26 4 1
3
+
4
3 σ ’s
36
+
4 2 2
20 132 60
3
By the Cauchy-Frobenius Theorem, the number of orbits is N = =
1 {924 + 4 + 12 + 20 + 132 + 60} 12 1 {1152} 12
= 96. Thus the answers to part (1) is 96. We can also find the cycle index of G: α
cycle pattern
CIα
R, R −1 R2, R4 R3 3×ρ 3×σ
112 62 34 26 1 4 · 24 26
x1 12 x6 2 x3 4 x2 6 x1 4 x2 4 x2 6
262 Introduction to Applied Algebraic Systems
Therefore, CIG =
1 {x1 12 + 4x2 6 + 2x3 4 + 3x1 4 x2 4 + 2x6 2 }. 12
Hence, the answers to part (2) are given in the following table: Number of colors available Number of distinct colorings 2 3 4
430 46,185 1,415,896
Exercises 3.12 1. Let G = α where α = (123)(45) ∈ S5 . Find CIG . 2. Let G = α and H = β where α = (123) ∈ S3
and
β = (345)(678) ∈ S8 .
(i) Show that G ∼ = H. (ii) Find CIG and CIH . 3. Find the cycle index for each of the following groups: (i) (ii) (iii) (iv)
S2 . S3 . The group of rotations of a pentagon. The group of rotations of a hexagon.
4. Find the cycle index for the groups of rotations of the following solids, acting on the vertices: (i) A rectangular box with three unequal dimensions. (ii) A rectangular box with two dimensions that are equal and distinct from the third. (iii) Repeat (i) and (ii) with the groups acting on the faces. (iv) Repeat (i) and (ii) with the groups acting on the edges. 5. Find the cycle index for the group of rotation of the tetrahedron, acting on (i) the vertices (ii) the faces (iii) the edges. 6. Find the cycle index for A4 .
Groups and Permutations 263
7. Find the cycle index for the Cayley representations of the following groups: (i) (ii) (iii) (iv)
(Z4 , +). (Z5 , +). (Z6 , +). S3 .
8. Find the number of inequivalent colorings of the vertices of a pentagon if three colors are available. 9. If four colors are available, find the number of inequivalent colorings of (i) the vertices of a tetrahedron (ii) the edges of a tetrahedron. 10. Show that the group of rotations of a tetrahedron is A4 . 11. Show that the group of rotations of a cube is S4 . (Hint: Find some feature that a cube has four of.) 12. Show that the group of rotations of an octahedron is S4 . (Hint: Fit a tetrahedron inside a cube.)
4 Groups: Homomorphisms and Subgroups
In this chapter we will probe a little deeper into certain groups that are closely related in some special way to a given group. In one direction, this leads to the concept of a homomorphism that enables us to consider groups that are related but not quite as strongly related as isomorphic groups. In another direction, we will begin the study of subgroups of a group. We will describe completely all finite abelian groups. We will see the wonderful theorems discovered by Sylow that provide us with a wealth of information regarding the presence of subgroups of prime power order. Combined with the direct product of groups, this enables us to describe completely all the groups of certain orders. We will conclude the chapter by considering two important classes of groups: solvable and nilpotent groups.
4.1 Homomorphisms
We have used the concept of an isomorphism to help us recognize groups that are “essentially” the same. Now we consider a slightly weaker concept that is important in the study of the relationships between groups that might not be isomorphic. Let G and H be groups and ϕ : G → H be a mapping. Then, recalling the definition of a homomorphism from Section 3.2, ϕ is a homomorphism if ϕ(ab) = ϕ(a)ϕ(b) for all a, b ∈ G. 264
Groups: Homomorphisms and Subgroups 265
A surjective homomorphism is an epimorphism. An injective homomorphism is a monomorphism. An isomorphism is just a bijective homomorphism. We will occasionally use the notation G ∼ = H to indicate that the groups G and H are isomorphic. If there exists a surjective homomorphism ϕ : G → H , then H is called a homomorphic image of G. Examples of homomorhisms and homorphic images abound. Example 4.1.1 Let n ∈ N and define ϕ : Z → Zn by ϕ(a) = ra where a = qn + ra , 0 ≤ ra < n. Then ϕ is an epimorphism. Example 4.1.2 Let A be an m × n matrix of real numbers. Define a mapping ϕ : Rm → Rn by ϕ(v) = vA . Then ϕ is a linear transformation. In particular, ϕ is a homomorphism of (Rm , +) to (Rn , +). Example 4.1.3 Let G denote the group of all invertible n × n matrices with real entries. Define ϕ : G → R∗ by ϕ(A) = det A. Then ϕ is a homomorphism. Example 4.1.4 Let G = D4 , the group of rotations of a square. Every element α ∈ D4 determines a permutation of the set of diagonals D = {d1 , d2 }. Call this permutation αd . Then ϕ : D4 → SD defined by ϕ(α) = αd is a homomorphism.
(α ∈ D4 )
266 Introduction to Applied Algebraic Systems
Homomorphisms are often used to relate abstract groups to concrete groups, where concrete might mean a group of matrices or permutations. A homomorphism ϕ : G → GLn (F ) is a representation by matrices. A homomorphism ϕ : G → SX is a representation by permutations. Lemma 4.1.5 Let G and H be groups and ϕ : G → H be a homomorphism. (i) ϕ(eG ) = eH . (ii) For all g ∈ G, ϕ(g −1 ) = ϕ(g )−1 . Proof. Exercise.
Let G and H be groups, h ∈ H and A ⊆ H , and ϕ : G → H be an epimorphism. Then we write ϕ −1 (h) = {g ∈ G| ϕ(g ) = h} ϕ −1 (A) = {g ∈ G| ϕ(g ) ∈ A}. Lemma 4.1.6 Let G and H be groups, and ϕ : G → H be a homomorphism. (i) For any subgroup A of G, ϕ(A) is a subgroup of H . (ii) For any subgroup B of H , ϕ −1 (B) = {g ∈ G | ϕ(g ) ∈ B} is a subgroup of G. Proof. (i) Since eH = ϕ(eG ) ∈ ϕ(A), ϕ(A) = ∅. We have x, y ∈ ϕ(A) =⇒ ∃ a, b ∈ A
with
x = ϕ(a), y = ϕ(b)
=⇒ xy −1 = ϕ(a)ϕ(b)−1 = ϕ(ab −1 )
where ab −1 ∈ A
=⇒ xy −1 ∈ ϕ(A). Therefore, ϕ(A) is a subgroup of H . (ii) Since eG ∈ ϕ −1 (eH ) ⊆ ϕ −1 (B), ϕ −1 (B) = ∅. Also we have x, y ∈ ϕ −1 (B) =⇒ ϕ(x), ϕ(y) ∈ B =⇒ ϕ(xy −1 ) = ϕ(x)ϕ(y)−1 ∈ B =⇒ xy −1 ∈ ϕ −1 (B). Therefore, ϕ −1 (B) is a subgroup of G.
Groups: Homomorphisms and Subgroups 267
Let ϕ : G → H be a homomorphism between groups. Then {eH } is a subgroup of H so that ϕ −1 ({eH }) is a subgroup of G. We define the kernel of ϕ to be ker(ϕ) = ϕ −1 ({eH }). This subgroup determines many of the properties of ϕ and is a special kind of subgroup of G, in the sense that not every subgroup of G can be the kernel of a homomorphism. Let ϕ : X → Y be a mapping. Then ϕ determines an equivalence relation ∼ on X by a ∼ b ⇐⇒ ϕ(a) = ϕ(b). We denote this equivalence relation by ϕ
or
ϕ −1 ◦ ϕ.
If ϕ : G → H is a homomorphism between groups, then ϕ is completely determined by ker(ϕ). Lemma 4.1.7 Let ϕ : G → H be a homomorphism between groups with kernel N and let a, b ∈ G. Then ϕ(a) = ϕ(b) ⇐⇒ Na = Nb. Proof. We have ϕ(a) = ϕ(b) ⇐⇒ ϕ(a)ϕ(b)−1 = eH ⇐⇒ ϕ(ab −1 ) = eH ⇐⇒ ab −1 ∈ N ⇐⇒ Na = Nb. Corollary 4.1.8 Let ϕ : G → H be a homomorphism between groups. Then ϕ is a monomorphism if and only if ker(ϕ) = {eG }. Proof. Exercise.
Recall that, for subsets A, B ⊆ G and g ∈ G, AB = {ab | a ∈ A, b ∈ B} Ag = {ag | a ∈ A} gAg −1 = {gag −1 | a ∈ A}.
268 Introduction to Applied Algebraic Systems
Note that Ag = A{g }. In addition, A(BC) = {a(bc) | a ∈ A, b ∈ B, c ∈ C} (AB)C = {(ab)c | a ∈ A, b ∈ B, c ∈ C}. Hence, since the multiplication in G itself is associative, A(BC) = (AB)C. A subgroup N of a group G is normal if gNg −1 = N for all g ∈ G, or, equivalently, if gN = Ng for all g ∈ G. Note that gNg −1 = N ∀ g ∈ G ⇐⇒ g −1 Ng = N ∀ g ∈ G so that the positioning of the inverse on the left versus the right side of N is not important. Note also that every subgroup of an abelian group is normal. There are also nonabelian groups in which every subgroup is normal (see Exercise 8), but generally speaking, a nonabelian group will have subgroups that are not normal (see, for example, Exercise 5). For N , a (normal) subgroup of G, let G/N = set of right cosets of N in G = {Ng | g ∈ G}. The next result provides some basic observations concerning normal subgroups. Theorem 4.1.9 Let N be a subgroup of a group G. Then the following conditions are equivalent: (i) (ii) (iii) (iv) (v)
N is normal. gNg −1 ⊆ N , gN = Ng , (Ng )(Nh) = Ngh The rule
for all g ∈ G. for all g ∈ G. for all g , h ∈ G. (Ng ) ∗ (Nh) = Ngh
defines a binary operation on the set of right cosets G/N of N . (vi) There exists a homomorphism ϕ : G → H of G onto a group H such that N = ker(ϕ).
Groups: Homomorphisms and Subgroups 269
Proof. (i) implies (ii). This follows immediately from the definition of normality. (ii) implies (iii). Let a ∈ N . Then, ga = (gag −1 )g ∈ Ng
by (ii)
so that gN ⊆ Ng . Similarly, ag = g (g −1 ag ) = g (g −1 a(g −1 )−1 ) ∈ gN
by (ii)
so that Ng ⊆ gN and equality follows. (iii) implies (iv). We have (Ng )(Nh) = N (gN )h = N (Ng )h
by (iii)
= Ngh. g
(iv) implies (v). Let Ng = Ng , Nh = Nh . Then there exist a, b ∈ N with = ag , h = bh. Hence, Ng h = Ng Nh = (Nag )(Nbh) = Ng Nh = Ngh
by (iv)
by (iv).
Therefore, ∗ is well-defined. (v) implies (vi). By (v), ∗ is a well-defined binary operation on G/N . Associativity. We have (Ng ∗ Nh) ∗ Nk = (Ngh) ∗ Nk = N (gh)k Ng ∗ (Nh ∗ Nk) = Ng ∗ (Nhk) = Ng (hk) = N (gh)k and the associativity of ∗ follows. Identity. We have Ng ∗ Ne = Nge = Ng = Neg = Ne ∗ Ng so that N = Ne is the identity with respect to the ∗ operation. Inverses. For any Ng ∈ G/N , (Ng ) ∗ (Ng −1 ) = Ngg −1 = Ne = N = Ne = Ng −1 g = Ng −1 ∗ Ng
270 Introduction to Applied Algebraic Systems
so that (Ng )−1 = Ng −1 . Thus, (G/N , ∗) is a group. Now let H = G/N and define ϕ : G → H by ϕ(g ) = Ng . Then, it is clear that ϕ is surjective and, furthermore, that ϕ(g ) ∗ ϕ(h) = (Ng ) ∗ (Nh) = Ngh = ϕ(gh), so that ϕ is a homomorphism. Moreover, ker(ϕ) = {g ∈ G | ϕ(g ) = eG/N = N } = {g ∈ G | Ng = N } = {g ∈ G | g ∈ N } = N. (vi) implies (i). By Lemma 4.1.6, N = ϕ −1 ({eH }) is a subgroup of G. Now let a ∈ N , g ∈ G. Then, ϕ(gag −1 ) = ϕ(g )ϕ(a)ϕ(g )−1 = ϕ(g ) eH ϕ(g )−1 = eH . Thus, gag −1 ∈ N so that gNg −1 ⊆ N for all g ∈ N . Replacing g with g −1 , we obtain g −1 Ng ⊆ N and, multiplying on the left by g and on the right by g −1 , we get N ⊆ gNg −1 . Therefore, gNg −1 = N and N is normal. The next result is contained in the proof of Theorem 4.1.9, but we want to make it explicit. Corollary 4.1.10 Let N be a normal subgroup of a group G. (i) (G/N , ∗) is a group and (if G is finite) G/N has order |G| / |N |. (ii) The mapping π : G → G/N defined by π(g ) = Ng is an epimorphism with ker(π ) = N .
(g ∈ G)
Groups: Homomorphisms and Subgroups 271
The homomorphism π in Corollary 4.1.10 (ii) is called the natural homomorphism of G onto G/N . Henceforth, we write simply G/N , for (G/N , ∗), use juxtaposition for the operation in G/N , and refer to G/N as “G mod(ulo) N .” Any group of the form G/N is called a quotient group of G. Lemma 4.1.11 Let ϕ : G → H be an epimorphism with N = ker(ϕ). (i) A → ϕ(A) is a bijection of {A | N ⊆ A ⊆ G, A a subgroup of G} onto the set of subgroups of H . (ii) For subgroups A, B of G with N ⊆ A, B, A ⊆ B ⇐⇒ ϕ(A) ⊆ ϕ(B) (iii) For any subgroup A of G with N ⊆ A, A is normal in G if and only if ϕ(A) is normal in H . Proof. Exercise.
We conclude this section with a very useful result concerning the number of elements in a product of subgroups. Proposition 4.1.12 Let A and B be finite subgroups of a group G. Then |AB| =
|A| · |B| . |A ∩ B|
(Note: There is no requirement here for the product AB of the subgroups A and B to be itself a subgroup.) Proof. We will show that of A. So let
|AB| |B|
=
|A| |A∩B| .
k=
We know that A ∩ B is a subgroup
|A| |A ∩ B|
and x1 , . . . , xk ∈ A be such that x1 (A ∩ B), . . . , xk (A ∩ B) are all the distinct left cosets of A ∩ B in A.
272 Introduction to Applied Algebraic Systems
Now let a ∈ A, b ∈ B so that ab is an arbitrary element of AB. There must exist an integer i, 1 ≤ i ≤ k, with a ∈ xi (A ∩ B), so that a = xi g for some g ∈ A ∩ B. Hence, ab = xi gb ∈ xi B. Therefore, AB ⊆
,
xi B.
Clearly, xi B ⊆ AB so that AB = xi B and AB is a union of left cosets of B. Furthermore, xi B = xj B =⇒ xi−1 xj ∈ B =⇒ xi−1 xj ∈ A ∩ B
since xi , xj ∈ A
=⇒ xi (A ∩ B) = xj (A ∩ B) =⇒ xi = xj . Therefore, x1 B, . . . , xk B are the distinct left cosets of B contained in AB. Consequently, k=
|AB| B
so that |AB| |A| =k= . |A ∩ B| |B| Exercises 4.1 1. Let H be a subgroup of the group G and let g ∈ G. (i) Show that gHg −1 is a subgroup of G. (ii) Show that the mapping ϕ : H → gHg −1 defined by ϕ(h) = ghg −1
(h ∈ H )
is an isomorphism of H to gHg −1 . 2. Let (G, ·) be an abelian group. Show that the mapping ϕ : G → G defined by ϕ(g ) = g −1 is an automorphism of G.
(g ∈ G)
Groups: Homomorphisms and Subgroups 273
3. Let (G, +) be an abelian group and m ∈ Z. (i) Show that the mapping ϕ : G → G defined by ϕ(g ) = mg
(g ∈ G)
is a homomorphism of G to itself. (ii) Give an example where ϕ is injective, but not surjective. (iii) Give an example where G is finite and ϕ is an automorphism. (iv) Give an example where G is infinite and ϕ is an automorphism. 4. Let G, H , and K be groups and let θ : G → H , ϕ : H → K be homomorphisms. Establish the following: (i) ϕθ is a homomorphism. (ii) ϕθ a monomorphism ⇒ θ a monomorphism. (iii) ϕθ an epimorphism ⇒ ϕ an epimorphism. 5. Find all normal subgroups of (i) S3 (ii) D4 . 6. Show that An is normal in Sn . 7. Let H be a subgroup of the group G with [G : H ] = 2. Show that H is a normal subgroup of G. 8. Show that every subgroup of the quaternion group is normal. 9. Find an example of a group G with subgroups A and B such that AB is not a subgroup. 10. Show that if N1 , . . . , Nk are normal subgroups of G, then N1 N2 · · · Nk is also a normal subgroup of G. 11. Let X be a subset of a group G and let N denote the intersection of all the normal subgroups of G containing X . Show that N is a normal subgroup of G and that N is the smallest normal subgroup of G containing X . 12. Let A = { , (1 2)(3 4)} and V = { , (1 2)(3 4), (1 3)(2 4), (1 4)(2 3)}. Show that A is a normal subgroup of V and that V is a normal subgroup of S4 (and therefore A4 ), but that A is not a normal subgroup of A4 . Thus, a normal subgroup of a normal subgroup need not be normal. 13. Let A, B, and C be normal subgroups of a group G such that A ∩ C = B ∩ C, AC = BC,
and
A ⊆ B.
Show that A = B. (This is known as the modular law.)
274 Introduction to Applied Algebraic Systems
14. Let α = (1 2 3)(4 5), β = (1 7 9 2 6 8 3 5 4) ∈ S9 , A = α, and B = β. Use Proposition 4.1.12 to calculate the number of elements in AB. 15. Show that SLn (F ) is a normal subgroup of GLn (F ). 16. Let R denote the rotation of a regular n-gon about an axis perpendicular to the plane of the n-gon and through an angle of 360 n in a clockwise direction. Show that R is a normal subgroup of Dn . 17. Let G1 = Q8 (see Exercises 8 and 9 in section 3.2), the quaternion group, G2 = D4 , N1 = a 2 , and N2 = R 2 . Establish the following: (i) (ii) (iii) (iv)
N1 and N2 are isomorphic. N1 and N2 are normal subgroups of G1 and G2 , respectively. |G1 /N1 | = |G2 /N2 | = 4. Show that G1 /N1 and G2 /N2 are isomorphic.
18. (i) Show that every element of Q/Z has finite order. (ii) Which elements of R/Z have finite order and which have infinite order? ∗ 19.
Let u = (2, 1), v = (1, 2) ∈ R2 , H = u, v in (R2 , +), and FR = {αu + βv | 0 ≤ α, β < 1}. (FR stands for fundamental region.) (i) Plot the elements of H in R2 and identify the set FR. (ii) Show that each coset of H contains a unique element of FR.
4.2 The Isomorphism Theorems
Homomorphisms have introduced us to new constructions and objects. These, in turn, lead to new relationships that we explore here. Theorem 4.2.1 (First Isomorphism Theorem) Let ϕ : G → H be an epimorphism with ker(ϕ) = N . Let π : G → G/N be the natural homomorphism. Then there exists an isomorphism θ : G/N → H such that θ ◦ π = ϕ. ϕ
-H 3 θ
G π ? G/N
Groups: Homomorphisms and Subgroups 275
Proof. By Lemma 4.1.7, we know that ϕ(a) = ϕ(b) ⇐⇒ Na = Nb
(a, b ∈ G).
(4.1)
Therefore, we can define a mapping θ : G/N → H by θ (Na) = ϕ(a). Since ϕ is surjective, so also is θ . Moreover, θ(Na) = θ (Nb) =⇒ ϕ(a) = ϕ(b) =⇒ Na = Nb
by (4.1).
Thus, θ is injective and therefore θ is a bijection. Finally, θ(Na) θ (Nb) = ϕ(a)ϕ(b) = ϕ(ab) = θ (Nab) = θ ((Na)(Nb))
since ϕ is a homomorphism since N is a normal subgroup.
Thus, θ is a homomorphism and therefore an isomorphism.
This result can be viewed either way: (i) Given N , we can understand G/N better if we can find a good model H ; or (ii) given ϕ, G/N gives us a description of H . In the next result we collect several basic facts concerning combinations of subgroups and normal subgroups. Lemma 4.2.2 Let A, B be subgroups of G, and N be a normal subgroup of G. (i) (ii) (iii) (iv)
A ∩ B is a subgroup of G. A ∩ N is a normal subgroup of A. AN = NA is a subgroup of G. N is a normal subgroup of AN .
Proof. (i), (ii) Exercises. (iii) Let a, b ∈ A, x, y ∈ N . Then, ax = (axa −1 )a ∈ Na so that AN ⊆ NA. Also, xa = a(a −1 xa) ∈ aN .
276 Introduction to Applied Algebraic Systems
Consequently, NA ⊆ AN , from which it follows that AN = NA. Furthermore, (ax)(by) = ab(b −1 xb)y ∈ AN (ax)−1 = x −1 a −1 = a −1 ax −1 a −1 ∈ AN which implies that AN is a subgroup of G. (iv) Exercise. It turns out that the quotient groups that we obtain from combinations of subgroups and normal subgroups are not always distinct. Theorem 4.2.3 (Second Isomorphism Theorem) Let A be a subgroup and N be a normal subgroup of a group G. Then, AN /N ∼ = A/(A ∩ N ). Proof. Note that, by Lemma 4.2.2 (iii), AN = NA. Define ϕ : A → AN /N by ϕ(a) = Na. Since AN = NA, we have AN /N = {Na | a ∈ A}. Hence, ϕ is surjective. For a, b ∈ A, ϕ(a)ϕ(b) = Na · Nb = Nab = ϕ(ab). Thus, ϕ is a homomorphism. Furthermore, a ∈ ker(ϕ) ⇐⇒ Na = eAN /N = N ⇐⇒ a ∈ N . Therefore, ker(ϕ) = A ∩ N . By Theorem 4.2.1, AN /N ∼ = A/ ker(ϕ) = A/(A ∩ N ). In the Third Isomorphism Theorem we obtain a rather pleasing result, as it is reminiscent of the familiar cancellation that takes place in fractions of integers.
Groups: Homomorphisms and Subgroups 277
Theorem 4.2.4 (Third Isomorphism Theorem) Let M and N be normal subgroups of a group G with M ⊆ N . Define a mapping ϕ : G/M → G/N by ϕ : Ma → Na
(Ma ∈ G/M ).
Then ϕ is an epimorphism of G/M onto G/N with kernel N /M . Consequently, (G/M )/(N /M ) ∼ = G/N . Proof. First let πM : G → G/M be the natural homomorphism. Then, πM (N ) = N /M and, since N is normal in G, we see from Lemma 4.1.11 (iii) that N /M is a normal subgroup of G/M . Since M ⊆ N , it is easily verified that ϕ is well defined and is surjective. Also, ϕ((Ma)(Mb)) = ϕ(Mab) = Nab = NaNb = ϕ(Ma)ϕ(Mb) so that ϕ is a homomorphism. Now, Ma ∈ ker(ϕ) ⇐⇒ ϕ(Ma) = eG/N = N ⇐⇒ Na = N ⇐⇒ a ∈ N . Therefore, ker(ϕ) = {Ma | a ∈ N } = N /M . The final claim now follows from the First Isomorphism Theorem.
Exercises 4.2 1. Use the First Isomorphism Theorem to identify the following quotient groups: (i) Sn /An . (ii) Dn /R. 2. By means of the First Isomorphism Theorem, or otherwise, identify the following quotient groups: (i) A4 /V , where V is defined as in Exercise 12, section 4.1. (ii) GLn (F )/SLn (F ). ∗ 3.
By means of the First Isomorphism Theorem, or otherwise, identify the group S4 /V .
278 Introduction to Applied Algebraic Systems
4. Let G denote the set of points on the unit circle in R2 . Each point in G can be represented in the form (cos θ , sin θ ). Define multiplication in G by (cos θ, sin θ ) · (cos ϕ, sin ϕ) = (cos(θ + ϕ), sin(θ + ϕ)). (i) Show that (G, ·) is a group. (ii) Show that G ∼ = (R, +)/(Z, +).
4.3 Direct Products
In this section we consider more fully a very simple way of combining two or more groups to form a new group that was introduced in chapter 3. This is not only important from the point of view of constructing new examples, it is also an extremely important tool for studying the structure of groups and for classifying groups. Theorem 4.3.1 Let A and B be groups, and G = A×B. Define a binary operation ∗ on G by (a, b) ∗ (a , b ) = (aa , bb ). (i) (G, ∗) is a group with identity (eA , eB ) and with inverses given by (a, b)−1 = (a −1 , b −1 ). (ii) A ∗ = A × {eB } is a normal subgroup of G and the mapping iA : a → (a, eB ) is an isomorphism of A to A ∗ . (iii) B ∗ = {eA } × B is a normal subgroup of G and the mapping iB : b → (eA , b) is an isomorphism of B to B ∗ . (iv) The mapping πA : (a, b) → a of G to A is an epimorphism with kernel equal to B ∗ . (v) The mapping πB : (a, b) → b of G to B is an epimorphism with kernel equal to A ∗ . (vi) A ∗ ∩ B ∗ = {eG }, xy = yx for all x ∈ A ∗ , y ∈ B ∗ , and A ∗ B ∗ = G. Proof. There are many things to prove, but they are all quite straightforward and so we leave the verifications as exercises for you. Recall that the group (G, ∗) = (A × B, ∗) constructed in Theorem 4.3.1 is the (external ) direct product of A and B. Normally, we will just write A × B for the direct product of A and B. Since the underlying set in the direct product
Groups: Homomorphisms and Subgroups 279
is just the cartesian product, we can calculate the order of A × B from |A × B| = |A| · |B|. It is also easy to see that A × B ∼ = B × A. Even in nonabelian groups there may be, as the next lemma suggests, many elements that commute with each other. Lemma 4.3.2 Let M , N be normal subgroups of a group G such that M ∩ N = {e}. Then mn = nm for all m ∈ M , n ∈ N . Proof. We have m −1 n −1 mn = (m −1 n −1 m)n ∈ NN = N = m −1 (n −1 mn) ∈ MM = M ∈ M ∩ N = {e}. Therefore, m −1 n −1 mn = e and mn = nm. We are now in a position to obtain an “internal” characterization of a group that is isomorphic to a direct product. Theorem 4.3.3 Let M , N be normal subgroups of a group G such that (i) M ∩ N = {e} (ii) MN = G. Then, G ∼ = M × N. Proof. By (ii), every element g ∈ G can be written as g = mn
where m ∈ M , n ∈ N .
Also, g = mn = m n
where m, m ∈ M , n, n ∈ N
⇒ m −1 m = n(n )−1 ∈ M ∩ N = {e}
280 Introduction to Applied Algebraic Systems
⇒ m −1 m = e = n(n )−1 ⇒ m = m , n = n . Therefore, we can define a mapping ϕ : G →M ×N as follows: For g = mn ∈ G, ϕ(g ) = (m, n). For any (m, n) ∈ M × N , we have ϕ(mn) = (m, n) so that ϕ is surjective. Also, ϕ(mn) = ϕ(m n ) =⇒ (m, n) = (m , n ) =⇒ m = m , n = n =⇒ mn = m n . Thus, ϕ is injective and so ϕ is bijective. Last, for g = mn, h = m n ∈ G, gh = mn m n = (mm )(nn )
by Lemma 4.3.2
from which it follows that ϕ(gh) = ϕ((mm )(nn )) = (mm , nn ) = (m, n)(m , n ) = ϕ(g )ϕ(h). Thus, ϕ is an isomorphism.
When the conditions (i) and (ii) of Theorem 4.3.3 hold, G is called the internal direct product of M and N . When the context is clear, we will sometimes simply describe G as the direct product of M and N without emphasizing the internal nature and will even write G = M × N . As one important illustration of how Theorem 4.3.3 can be applied, we consider Zn , where n is composite. Proposition 4.3.4 Let n, s, t ∈ N, n = st , and (s, t ) = 1. Then Zn ∼ = Zt × Zs .
Groups: Homomorphisms and Subgroups 281
Proof. Consider s and t as elements of Zn and let M = s,
N = t .
Since Zn is abelian, M and N are both normal subgroups of Zn . Also, it is easily checked that |M | = t ,
|N | = s
so that (|M |, |N |) = 1. Hence, M ∩ N = {0} and, from Proposition 4.1.12, |M + N | = |M | · |N | = ts = n = |Zn |. Therefore, M +N = Zn and, by Theorem 4.3.3, Zn ∼ = M ×N . However, M and N are cyclic groups of orders t and s, respectively, so that M ∼ = Zt , N ∼ = Zs . ∼ Consequently, Zn = Zt × Zs . As we saw in chapter 3, the direct product construction can be generalized to an arbitrary number of factors. This has properties similar to those described earlier for the direct product of two groups, which will be explored in the exercises. A group G is said to be decomposable if there exist nontrivial groups A and B with G ∼ = A × B. Equivalently, G is decomposable if there exist proper nontrivial normal subgroups M and N with M ∩ N = {e} and G = MN . We say that a group is indecomposable if it is not decomposable. For example, since Z6 ∼ = Z2 × Z3 , Z6 is decomposable. On the other hand, it is not difficult to see that S3 is indecomposable. Exercises 4.3 1. Let A1 be a subgroup of A and B1 be a subgroup of B. Show that (i) A1 × B1 is a subgroup of A × B (ii) if A1 and B1 are normal subgroups, then A1 × B1 is a normal subgroup of A × B (iii) (A × B)/(A1 × B1 ) is isomorphic to (A/A1 ) × (B/B1 ). 2. Let A1 , A2 , . . . , An be groups. (i) Show that P = A1 × A2 × · · · × An is a group with respect to the operation (a1 , . . . , an )(b1 , . . . , bn ) = (a1 b1 , . . . , an bn ).
282 Introduction to Applied Algebraic Systems
(ii) Show that, for 1 ≤ i ≤ n, Ai∗ = {(e1 , . . . , ai , . . . , en ) | ai ∈ Ai } is a normal subgroup of P. (iii) Show that ∗ ∗ Ai+1 · · · An∗ = {eP }. Ai∗ ∩ A1∗ · · · Ai−1
(iv) Show that xy = yx for all x ∈ Ai∗ , y ∈ Aj∗ where i = j. P is called the (external) direct product of the groups A1 , . . . , An . ∗ 3.
Let G be a group with normal subgroups N1 , . . . , Nn such that (i) Ni ∩ N1 · · · Ni−1 Ni+1 · · · Nn = {eG }, for all i with 1 ≤ i ≤ n (ii) G = N1 N2 · · · Nn . G is then called the internal direct product of N1 , . . . , Nn . Show that G∼ = N1 × N2 × · · · × Nn .
4. Let G be the internal direct product of the subgroups A1 and B, and let B be the internal direct product of the subgroups A2 , . . . , Am . Show that G is the internal direct product of A1 , . . . , Am . 5. Let G be a group and P = G × · · · × G, the direct product of n copies of G. Show that D = {(g , g , . . . , g ) | g ∈ G} is a subgroup of P. 6. Let G, Hi (1 ≤ i ≤ n) be groups and for each i, let ϕi : G → Hi be a homomorphism. Define ϕ : G → H1 × H2 × · · · × Hn by ϕ(g ) = (ϕ1 (g ), ϕ2 (g ), . . . , ϕn (g )). Establish the following: (i) ϕ is a homomorphism. . ker(ϕi ). (ii) ker(ϕ) = 1≤i≤n
(iii) ϕ is a monomorphism if and only if
.
ker(ϕi ) = {e}.
1≤i≤n
(iv) The assumption that each ϕi is surjective is not sufficient to conclude that ϕ is surjective. 7. Let B = (1 2) in S3 . Establish the following: (i) (ii) (iii) (iv)
A3 ∩ B = {ε}. S3 = A3 B. S3 is not the internal direct product of A3 and B. S3 is not isomorphic to A3 × B.
Groups: Homomorphisms and Subgroups 283
8. Show that the following groups are indecomposable: (i) Zp n (p a prime, n ∈ N). (ii) Q8 . 9. Show that for any group G, the set of automorphisms of G, Aut(G), is a subgroup of SG . 10. Let N and G be groups and ϕ : G → Aut(N ) be a homomorphism. Define a binary operation on N × G by (n, g )(n , g ) = (nϕ(g )(n ), gg ). (i) Show that N × G is a group with respect to this operation. It is called a semidirect product of N and G and is denoted by N G. ϕ (ii) Show that N ∗ = N × {eG } is a normal subgroup of N G. ϕ (iii) Show that G ∗ = {eN } × G is a subgroup of N G. ϕ (iv) Show that N G = N ∗ G ∗ . ϕ
4.4 Finite Abelian Groups
There are many proofs of the Fundamental Theorem for Finite Abelian Groups. The one that we follow here is based on the nice proof by Gabrial Navarro in [Nav]. For any finite abelian group G, and any prime p, let 0 / k Gp = g ∈ G|g p = e, for some k N
Gp = {g ∈ G|(|g |, p) = 1}.
Lemma 4.4.1 Let G be a finite abelian group. Then Gp and Gp are both subgroups
of G, and G is the direct product of Gp and Gp .
Proof. The verification of the facts that Gp and Gp are subgroups of G is left
to you as an exercise. To see that G is the direct product of Gp and Gp , first note
that Gp ∩ Gp = {e} since elements in Gp and Gp have relatively prime orders.
So, it remains to show that G = Gp Gp . Let g ∈ G and let |g | = p k m, where (p, m) = 1. Then g is a cyclic group of order p k m. By Proposition 4.3.4, g is the direct product of a cyclic group A of order p k and a cyclic group B of order m. Hence, there exist elements a ∈ A, b ∈ B such that g = ab. But, clearly, a ∈ Gp and b ∈ Gp . Therefore, g ∈ Gp Gp , G ⊆ Gp Gp so that
G = Gp Gp . We have now shown that G is the direct product of Gp and Gp .
284 Introduction to Applied Algebraic Systems
A more general version (known as Cauchy’s Theorem) of the next lemma will appear later. Lemma 4.4.2 Let G be a finite abelian group, p be a prime number, and p divide |G|. Then G contains an element of order p. Proof. We argue by induction on the order of G. Let H be a maximal proper subgroup of G. Then there is no subgroup K of G such that H ⊂ K ⊂ G. Hence, by Lemma 4.1.11(i), there is no proper nontrivial subgroup of G/H , which means that any nonidentity element of G/H is a generator. In other words, G/H must be a cyclic group of prime order. If p divides |H |, then we are done by induction. Otherwise, p must divide G/H and, since G/H is cyclic of prime order, we must have |G/H | = p. Let y ∈ G\H . Then Hy = H , so that we must have G/H = Hy and |Hy| = p. Let π : G −→ G/H be the natural homomorphism. Then π(y) = Hy so that π(y) = Hy. By the First Isomorphism Theorem, we then have that Hy ∼ = y/N for some (normal) subgroup N of y. Hence, p = |Hy| = |y|/|N |. Therefore, p must divide |y| = |y|. Hence, some suitable power of y is of order p. Let |G| = p α where p is a prime number and α ∈ N. Then G is a called a p-group. Since the order of any element in a finite group divides the order of the group, it is clear that the order of any element in a p-group must be a power of p. From Lemma 4.4.2, we know, conversely, that if every element of a finite abelian group G has order equal to a power of some fixed prime p, then G is a p-group. In Corollary 4.6.4, we will see that this is also true in arbitrary finite groups. When infinite groups are included in the discussion, it is customary to define a p-group to be a group in which every element has order equal to a power of p. Lemma 4.4.3 Let G be a cyclic group of order p n , for some prime p. Then G has a unique subgroup K of order p. Moreover, K is contained in every nontrivial subgroup of G. Conversely, if G is a finite abelian p-group that is not cyclic, then G contains two distinct subgroups of order p. n−1
n
n−1
Proof. Let G = a. Since (a p )p = a p = e, it follows that K = a p is a subgroup of order p. It will suffice to show that K is contained in every other nontrivial subgroup of G. Let H be a nontrivial subgroup. Then H contains a nontrivial element b, say. Let b = a m where m = sp k , (s, p) = 1, k < n. Then there exists t ∈ N such that st ≡ 1 mod p n so that b t = a mt = a (st )p = (a st )p = a p . k
k
k
Groups: Homomorphisms and Subgroups 285
Therefore, ap
n−1
k
= (a p )p
n−1−k
= (b t )p
n−1−k
∈ b
and K = a p
n−1
⊆ b ⊆ H .
Consequently, K is contained in every nontrivial subgroup and, in particular, in every subgroup of order p. But K itself has order p and so it must be the only subgroup of order p. Conversely, suppose that G is a finite abelian p-group that is not cyclic. Let A = a be a cyclic subgroup of G with the maximum order among all cyclic subgroups of G. Let |A| = p n . Since G is not cyclic, G = A and there must exist an element b ∈ G\A. Let b be one such element of the smallest possible order. Then we must have b p ∈ A (since the order of b p is |b|/p). Let b p = a k , for some integer k. First suppose that p does not divide k. Then, since p is prime, (p, k) = 1 and there exist integers x, y with xp + yk = 1 so that a = a xp+yk = a xp (a k )y = a xp b py = (a x b y )p . Hence, p n = |a| = |(a x b y )p | = |a x b y |/p. But then |a x b y | = p n+1 > |a|, contradicting the choice of a. Hence p must divide k. Let k = pm. Now we have (b(a m )−1 )p = b p (a pm )−1 = b p (a k )−1 = 1 / A, which implies which implies that b(a m )−1 has order dividing p. But b ∈ / A and, in particular, b(a m )−1 = 1. Consequently, we must that b(a m )−1 ∈ have |b(a m )−1 | = p. Thus b(a m )−1 is a cyclic group of order p so that it is / A, it follows that the generated by any non-identity member. Since b(a m )−1 ∈ n−1 m −1 only element in common between A and b(a ) is 1. Therefore, a p and b(a m )−1 are two distinct subgroups of G of order p. Lemma 4.4.4 Let G be a finite abelian p-group. Let A be a cyclic subgroup of G of maximal order for a cyclic subgroup. Then there is a subgroup B of G such that G the direct product of A and B. Proof. We proceed by induction. If G is cyclic, then G = A and we are done. So we assume that G is not cyclic. By Lemma 4.4.3, G must have at least two subgroups of order p. However, since A is cyclic, it also follows from
286 Introduction to Applied Algebraic Systems
Lemma 4.4.3 that A has only one subgroup of order p. Let P denote a subgroup of G of order p that is not contained in A. Then A ∩ P = {e}. Now P ⊆ AP, so that we can form the quotient group AP/P. By the Second Isomorphism Theorem, Theorem 4.2.3, we have AP/P ∼ = A/(A ∩ P) = A/{e} ∼ = A. Thus, AP/P is cyclic and the order of AP/P (∼ = A) must be a maximum among the orders of cyclic subgroups of G/P. By the induction hypothesis, G/P = (AP/P) × C for some subgroup C of G/P. By Lemma 4.1.11, there exists a subgroup B of G with P ⊆ B and C = B/P. Then, G/P = (AP)/P × B/P =⇒ G/P = ((AP)/P)(B/P) = (APB)/P =⇒ G = APB = AB where the final assertion follows from Lemma 4.1.11. However, A ∩ B = A ∩ AP ∩ B ⊆ AP ∩ B where x ∈ AP ∩ B =⇒ Px ∈ ((AP)/P) ∩ (B/P) = {P} =⇒ x ∈ P. Therefore, A ∩ B ⊆ P and A ∩ B = A ∩ (A ∩ B) ⊆ A ∩ P = {e} so that G is the direct product of A and B.
Theorem 4.4.5 (Fundamental Theorem for Finite Abelian Groups) Let G be a finite abelian group. Then G is isomorphic to a direct product of cyclic groups. Proof. We again proceed by induction on the order of G. The claim is clearly true if the order of G is a prime, since then G is cyclic. Let p be any prime dividing the order of G. With the notation introduced at the beginning of the section we have, by Lemma 4.4.1, that G is the direct product of Gp and Gp .
By Lemma 4.4.2, Gp is nontrivial. If Gp = G, then Gp must be nontrivial and
a proper subgroup of G. By the induction hypothesis applied to Gp and Gp ,
Groups: Homomorphisms and Subgroups 287
we see that Gp and Gp are both direct products of cyclic groups. Hence, G must also be a direct product of cyclic groups. Therefore, it only remains to consider the case G = Gp —that is, when G is a p-group. If G is cyclic, then we are finished. So suppose that G is not cyclic. Let A be a cyclic subgroup of G of maximum possible order. By Lemma 4.4.4, G is the direct product of A and another proper subgroup B. By the induction hypothesis, B is also a direct product of cyclic groups and so the proof is complete. In the next two results, we just give the fundamental theorem a more exact formulation, taking advantage of the fact that we know that every finite cyclic group is isomorphic to one of the groups (Zn , +). As a bonus, we obtain some uniqueness in the representation. Proposition 4.4.6 Let p be a prime number, n ∈ N, and G be an abelian group of order p n . Then there exist a1 , . . . , am ∈ G of orders p α1 , . . . , p αm (αi ∈ N) such that α1 ≥ α2 ≥ · · · ≥ αm , n = α1 + α2 + · · · + αm , and G is the internal direct product of the subgroups ai , 1 ≤ i ≤ m. The sequence of integers α1 , α2 , . . . , αm is unique. Proof. By the Fundamental Theorem of Finite Abelian Groups, G is a direct product of cyclic groups (which can be assumed to be subgroups) each of which must have an order dividing the order of G (that is, p n ) and therefore of the form p α for some integer α with 1 < α ≤ n. The first part of Proposition 4.4.6 then just consists of listing the exponents α in descending order. Concerning the uniqueness of the integers α1 , α2 , . . . , αm , we will not present a complete proof, but we will indicate how the number of elements of each order determines the values of α1 , α2 , . . . , αm . First note that we have shown that G∼ = a1 × a2 × · · · × am ∼ = Zp α1 × Zp α2 × · · · × Zp αm .
(4.2)
So it suffices to show how the number of elements of different orders determines the number of factors of each order in the product in (4.2). First consider Zp α . Then a ∈ Zp a , a = 0 , |a| = p ⇐⇒ pa = 0 ⇐⇒ p α | pa ⇐⇒ p α−1 | a ⇐⇒ a = kp α−1 , k = 0, 1, . . . , p − 1.
288 Introduction to Applied Algebraic Systems
Thus, the number of elements of order p is p − 1 and the number of elements of order ≤ p is p. Now consider (4.2). There, |(a1 , . . . , am )| ≤ p ⇐⇒ |ai | ≤ p,
1 ≤ i ≤ m.
Therefore, the number of elements of order ≤ p is p m . Thus, the number of elements of order, at most, p in G, which is quite independent of any way that we might like to represent G, completely determines the number of factors in any representation of the form (4.2). Similarly, the number of elements of order ≤ 2 determines the number of factors with αi ≥ p 2 , the number of elements of order ≤ p 3 determines the number of factors with αi ≥ 3, and so forth. The details will be given in the exercises. Thus, the representation in (4.2) is unique. This leads to the following common formulation of the Fundamental Theorem of Finite Abelian Groups. Theorem 4.4.7 Let G be a finite abelian group. (i) G is isomorphic to a direct product of the form Zp α11 × Zp α12 × · · · × Zp α21 × · · · × Zpmαm1 1
1
2
where the pi are prime numbers. The factors are unique to within the order in which they are written. (ii) G is isomorphic to a direct product of the form Zn1 × Zn2 × · · · × Znr
where ni+1 divides ni . The integers n1 , n2 , . . . , nr are unique. Proof. By the fundamental theorem, we know that G is a direct product of finite cyclic groups. By virtue of the fact that if (m, n) = 1 then Zmn ∼ = Zm × Zn , we can write any finite cyclic group as a direct product of cyclic groups of prime power order—that is, in the form given in (i)—and therefore we can also write G in this form. Uniqueness follows from the uniqueness in Proposition 4.4.6. To obtain the description in (ii), we take advantage of the fact that if (m, n) = 1, then Zm × Zn ∼ = Zmn . We then combine the factor in (i) involving the largest power of p1 with the factor involving the largest power of p2 , and so on. Then we combine all the factors with the second largest powers of each prime, and so on. This clearly leads to a description of G of the form given in (ii). Uniqueness follows from the uniqueness in (i).
Groups: Homomorphisms and Subgroups 289
Example 4.4.8 The claim in Theorem 4.4.7 (ii) is best understood by considering an example. Let G = Z24 × Z22 × Z33 × Z3 × Z3 × Z5 . Then G is written in the form of Theorem 4.4.7 (i). Since 24 , 33 , and 5 are relatively prime, we have Z24 × Z33 × Z5 ∼ = Z24 · 33 × Z5 ∼ = Z24 · 33 · 5 .
Similarly, Z22 × Z3 ∼ = Z22 · 3 .
Hence G ∼ = Z24 · 33 · 5 × Z22 · 3 × Z3 where 3 divides 22 · 3 and 22 · 3 divides 24 · 33 · 5. Thus we now have G written in the form of Theorem 4.4.7 (ii). The description of finite abelian groups in the Fundamental Theorem is satisfyingly complete and it would be unrealistic to expect to find similarly detailed and complete descriptions of larger classes of groups. However, we do find parallels of certain aspects of the theory of finite abelian groups in other classes. One feature that is fruitful in the study of nonabelian groups is the following corollary, which we will refer to in later sections. Corollary 4.4.9 Let G be a finite abelian group. Then there exists a sequence of subgroups {e} = Gr+1 ⊆ Gr ⊆ Gr−1 ⊆ · · · ⊆ G0 = G such that Gi / Gi+1 is cyclic for all i, 0 ≤ i ≤ r. Proof. By the fundamental theorem, we may write G as G = Zn1 × Zn2 × · · · × Znr .
290 Introduction to Applied Algebraic Systems
So let Gr = {e} Gr−1 = Zn1 × {0} × · · · × {0} Gr−2 = Zn1 × Zn2 × {0} × · · · × {0} .. . = Zn1 × · · · × Znr−1 × {0} = G.
G1 G0 Then
{e} = Gr ⊆ Gr−1 ⊆ · · · ⊆ G1 ⊆ G0 = G and Gi / Gi+1 ∼ = Znr−i is cyclic for all i with 0 ≤ i ≤ r − 1.
Exercises 4.4 1. List the elements of different orders in Z2 × Z2 × Z4 . 2. List the elements of different orders in Z2 × Z2 × Z3 . 3. List the elements of different orders in Z3 × Z4 . 4. List the elements of different orders in Z2 × Z3 × Z4 . 5. How many elements are there of the different possible orders in G = Z2 × Z2 × Z4 ? 6. How many elements are there of the different possible orders in G = Z4 × Z4 ? 7. How many elements are there of the different possible orders in G = Z2 × Z2 × Z4 ? 8. Let α, n ∈ N, α ≤ n, and p be a prime. Show that the number of elements of order p α in Zp n is p α − p α−1 . 9. Let p be a prime and G = Zp α1 × Zp α2 × · · · × Zp αn . Show that the number of elements in G of order p is p n − 1. 10. Let p be a prime and G = Zp α1 × Zp α2 × · · · × Zp αn .
Groups: Homomorphisms and Subgroups 291
Assume that αi ≥ α for 1 ≤ i ≤ m and that αi < α for m + 1 ≤ i ≤ n. Show that the number 0α of elements in G of order p α is 0α = p m(α−1)+αm+1 +···+αn (p m − 1). 11. In Exercise 10, assume that n is fixed. Now show that the value of m in Exercise 10 is uniquely determined by the value of 0α . 12. Let p be a prime number. How many elements are there of the different possible orders in G = Zp × Zp 2 × Zp 3 ? 13. Find all the subgroups of Z2 × Z2 × Z3 . 14. Find all the subgroups of Z2 × Z3 × Z4 . 15. Write the group G = Z2 × Z2 × Z3 × Z3 × Z4 in the form Zm1 × Zm2 × · · · × Zmk , where mi+1 divides mi . 16. Write the group G = Z2 × Z2 × Z3 × Z3 × Z4 × Z5 × Z6 in the form Zm1 × Zm2 × · · · × Zmk , where mi+1 divides mi . 17. How many nonisomorphic abelian groups are there of order 24? 18. How many nonisomorphic abelian groups are there of order 30? 19. How many nonisomorphic abelian groups are there of order 72? 20. Let G be an abelian group of order 2α with a unique element of order 2. Describe G as a product of cyclic groups. 21. Let G be an abelian group of order p α , where p is a prime, with p − 1 elements of order p. Describe G as a product of cyclic groups. 22. Let G = Z4 × Z8 , a = (1, 1), and A = a. Describe G/A as a direct product of cyclic groups. 23. Let G = Z2 × Z4 × Z8 , a = (1, 1, 1), and A = a. Describe G/A as a direct product of cyclic groups. 24. Let G denote the group (with respect to matrix multiplication) of all invertible m × m diagonal matrices over GF(p n ). Describe G as an internal and external direct product of cyclic groups. 25. Let G denote the group (with respect to matrix multiplication) of all m × m diagonal matrices over GF(p n ) with determinant equal to one. Describe G as an internal and external direct product of cyclic groups. 26. Describe (GF(p n ), +) as a direct product of cyclic groups. 27. Let G be a finite abelian p-group. Show that every nonidentity element in G/pG has order p. 28. Let G = Z2 × Z2 × Z3 . Find 2G and G2 .
292 Introduction to Applied Algebraic Systems
29. Let G = Z2 × Z3 × Z4 . Find 2G and G2 . 30. Let G be a finite abelian group and m be a positive integer that divides |G|. Prove that G has a subgroup of order m. 31. Let G be a finite abelian group of odd order. Show that the product of all the elements is equal to the identity. 32. Let G be an abelian group and T denote the set of elements in G of finite order. (i) Show that T is a subgroup of G. (ii) Show that the identity is the only element in G/T of finite order. T is called the torsion subgroup of G and is denoted by Tor (G). 33. Let p be a prime, m ∈ N, (p, m) = 1, n = pm, and G(p, m) = {[mx]n | x ∈ Z, (x, p) = 1}. (i) What is |G(p, m)|? (ii) Show that (G(p, m), ·) is an abelian group. (iii) Find G(5, 8), its identity, and determine the inverse of each element. 34. Let p, q, r be distinct primes and n = pqr. Let H (p, q, r) = {[a]n | p divides a, (a, q) = 1, (a, r) = 1}. (i) Show that (H (p, q, r), ·) is an abelian group. (ii) Determine the group H (2; 3, 5). 4.5 Conjugacy and the Class Equation
Elements a, b of a group G are said to be conjugate elements if there exists an element g ∈ G with b = gag −1 . Likewise, subgroups A and B of a group G are conjugate subgroups if there exists an element g ∈ G with B = gAg −1 . Lemma 4.5.1 Let G be a group. The relation ∼ defined on G by a∼b
if a and b are conjugate
is an equivalence relation on G. Proof. Exercise.
Let C[a] denote the class of a with respect to ∼. Then C[a] is the conjugacy class of a and the elements of C[a] are the conjugates of a. Similar terms and
Groups: Homomorphisms and Subgroups 293
notation are applied to subgroups. In particular, for any subgroup A, we denote by C[A] the conjugacy class of A, and the elements of C[A] are the conjugates of A. Theorem 4.5.2 Let α, β ∈ Sn . Then α and β are conjugate if and only if they have the same cycle pattern. Proof. First suppose that there exists σ ∈ Sn with β = σ ασ −1 . Consider any cycle γ = (a1 a2 · · · am ) and its conjugate σ γ σ −1 . For 1 ≤ i < m, (σ γ σ −1 ) σ (ai ) = σ γ (ai ) = σ (ai+1 ) while (σ γ σ −1 ) σ (am ) = σ γ (am ) = σ (a1 ). For 1 ≤ a ≤ n, and a = ai , (σ γ σ −1 ) σ (a) = σ γ (a) = σ (a). Since σ is a permutation, for all b with 1 ≤ b ≤ n, there exists an element a, 1 ≤ a ≤ n, with σ (a) = b. Hence, we have described the action of σ γ σ −1 completely: σ γ σ −1 = (σ (a1 ) σ (a2 ) · · · σ (am )) so that σ γ σ −1 is another cycle of length m. Now let α = α1 α2 · · · αk as a product of disjoint cycles. Then σ ασ −1 = (σ α1 σ −1 )(σ α2 σ −1 ) · · · (σ αk σ −1 ) where, by the preceding argument, σ αi σ −1 is a cycle of length equal to the length of αi . Also, for i = j, σ αi σ −1 and σ αj σ −1 are disjoint permutations. Hence, α and σ ασ −1 have the same cycle pattern. For the converse, now suppose that α and β have the same cycle pattern. Then we can write α and β as products of disjoint cycles α = α1 · · · αt β = β1 · · · βt
294 Introduction to Applied Algebraic Systems
where αi and βi are cycles of the same length for each i. Let α = (a11 a12 · · · a1m1 )(a21 a22 · · · a2m2 ) · · · (at 1 at 2 · · · atmt ) β = (b11 b12 · · · b1m1 )(b21 b22 · · · b2m2 ) · · · (bt 1 bt 2 · · · btmt ). Then, a11 a12 · · · a1m1 a21 · · · a2m2 · · · at 1 · · · atmt is just a rearrangement of 1, 2, 3, . . . , n, as is b11 · · · btmt . So we can define a permutation σ ∈ Sn by
a11 a12 · · · a1m1 a21 · · · a2m2 · · · at 1 · · · atmt b11 b12 · · · b1m1 b21 · · · b2m2 · · · bt 1 · · · btmt
.
Then, σ ασ −1 = (σ α1 σ −1 )(σ α2 σ −1 ) · · · (σ αt σ −1 ) = β1 β2 · · · βt = β. Thus, α and β are conjugate in Sn .
C. Deavours, in his review of [Rej] accompanying the article, describes Theorem 4.5.2 as “the theorem that won World War II” because of its importance in the cryptoanalytic work of the Polish mathematician M. Rejewski (see [Rej]) in breaking the Enigma code being used in the years prior to the outbreak of World War II. We will return to this topic in Section 4.10. Recall that Z (G) = {a ∈ G | ax = xa, ∀ x ∈ G} is called the center of G. Note that |C[a]| = 1 ⇐⇒ C[a] = {a} ⇐⇒ gag −1 = a , ⇐⇒ ga = ag , ⇐⇒ a ∈ Z (G).
for all g ∈ G for all g ∈ G
Thus, we may also write 0 / Z (G) = a ∈ G |C[a]| = 1 .
Groups: Homomorphisms and Subgroups 295
For a ∈ G, ZG (a) = {x ∈ G | ax = xa} is the centralizer of a in G. Note that ZG (a) = G ⇐⇒ a ∈ Z (G). Lemma 4.5.3 Let G be a group and a ∈ G. (i) Z (G) is a normal subgroup of G. (ii) ZG (a) is a subgroup of G. Proof. Exercise.
For any subgroup H of G, NG (H ) = {x ∈ G | xHx −1 = H } is called the normalizer in G of H . Clearly, NG (H ) = G ⇐⇒ H is normal in G. Lemma 4.5.4 Let H be a subgroup of G. (i) NG (H ) is a subgroup of G. (ii) H is a normal subgroup of NG (H ). (iii) NG (H ) is the largest subgroup of G in which H is normal. Proof. Exercise.
What can we say about the sizes of the nontrivial conjugacy classes? It turns out that these numbers must divide the order of the group. Lemma 4.5.5 Let G be a finite group a ∈ G and H be a subgroup of G. (i) |C[a]| = [G : ZG (a)]. (ii) |C[H ]| = [G : NG (H )]. Proof. (i) For any x, y ∈ G, we have xax −1 = yay −1 ⇐⇒ ax −1 y = x −1 ya ⇐⇒ x −1 y ∈ ZG (a) ⇐⇒ xZG (a) = yZG (a).
296 Introduction to Applied Algebraic Systems
Therefore, |C[a]| = number of left cosets of ZG (a) = |G| / |ZG (a)| = [G : ZG (a)]. The proof of part (ii) is similar.
Let G be a finite group and select one element from each conjugacy class to get a set of representatives {a1 , . . . , an }. For any a ∈ Z (G), we have C[a] = {a} so that a must be the representative of C[a]. Since each element of Z (G) is the representative of its class, let us list these first as a1 , a2 , . . . , am . Then, |G| =
n
|C[ai ]|
i=1
=
m
n
|C[ai ]| +
i=1
|G| = |Z (G)| +
|C[ai ]|
i=m+1 n
|G| / |ZG (ai )|.
i=m+1
This equation is the class equation for G. A very important application of the class equation is to p-groups. Theorem 4.5.6 Every nontrivial p-group has a nontrivial center. Proof. Let G be a nontrivial p-group—say, |G| = p α —where p is a prime and α ∈ N. From the class equation for G, we have p α = |G| = |Z (G)| +
n
|G| / |ZG (ai )|.
i=m+1
For m + 1 ≤ i ≤ n, since ai ∈ Z (G), we have |ZG (ai )| < |G| so that |G| / |ZG (ai )| > 1. At the same time, |G| / |ZG (ai )|
divides
|G| = p α .
(4.3)
Groups: Homomorphisms and Subgroups 297
Hence, |G| / |ZG (ai )| = p αi
for some 1 ≤ αi < α
from which it follows that p divides n
|G| / |ZG (ai )|.
i=m+1
It now follows from equation (4.3) that p | |Z (G)|.
Example 4.5.7 Let us consider the class equation for S4 . The conjugacy classes and their sizes are as follows:
4·3 4 = 2 1·2 4·3·2 3 4·3·2·1 4
2 cycles
(ab)
3 cycles
(abc)
4 cycles
(abcd)
2 × 2 cycles
(ab)(cd)
= 6 = 8 = 6 = 3.
6/2
The centralizers for each of the different cycle patterns are as follows: ZS4 ( ) ZS4 (ab) ZS4 (abc) ZS4 (abcd) ZS4 ((ab)(cd))
= S4 = { , (ab), (cd), (ab)(cd)} = { , (abc), (acb)} = (abcd) = { , (ab), (cd), (ab)(cd)}∪ { , (ab), (cd), (ab)(cd)} (ac)(bd).
Thus the class equation becomes 24 = |G| = |Z (G)| + =1+
|G| |ZG (ai )|
24 24 24 24 + + + 4 3 4 8
= 1 + 6 + 8 + 6 + 3.
298 Introduction to Applied Algebraic Systems
Exercises 4.5 1. Determine the conjugacy classes in each of the following groups: (i) S3 . (ii) D4 . (iii) Q8 . 2. Find the center of each of the following groups: (i) (ii) (iii) (iv) (v)
S3 . D4 . Q8 . A4 . S4 .
3. How many elements are there in the conjugacy class of the element α = (2 3)(4 5 6)(7 8 9 10) ∈ S10 ? ∗ 4.
How many elements are there in the conjugacy class of α ∈ Sn if α has cycle pattern 1r1 2r2 · · · n rn ?
5. Let G be a group such that G/Z (G) is cyclic. Prove that G is abelian. 6. Let G be a group such that G/Z (G) is abelian. Show, in contrast to the preceding exercise, that G need not be abelian. (Consider Q8 or D4 .) 7. Let p be a prime. Show that any group of order p 2 is abelian. ∗ 8.
Let |G| = p n where p is a prime. Let 0 ≤ k ≤ n. Prove that G has a normal subgroup of order p k .
∗ 9.
Let |G| = p n and H be a nontrivial normal subgroup of G. Prove that H ∩ Z (G) = {e}.
∗ 10.
Let Y and Z be nonempty subsets of the finite set X such that |Y | = |Z |. Let HY = {α ∈ SX | α(x) = x, ∀ x ∈ X \Y }. Let HZ be defined similarly. Prove the following: (i) HY is a subgroup of SX . (ii) HY ∼ = SY . (iii) HY and HZ are conjugate subgroups of SX .
∗ 11.
Let G be a finite group and a, b ∈ G be such that |a| = |b|. Show that there exists a group H and a monomorphism ϕ : G → H such that ϕ(a) and ϕ(b) are conjugate in H .
Groups: Homomorphisms and Subgroups 299 ∗ 12.
Let G and H be finite groups and a ∈ G, b ∈ H be such that |a| = |b|. Show that there exists a group K and monomorphisms θ : G → K , ϕ : H → K such that θ (a) and ϕ(b) are conjugate.
4.6 The Sylow Theorems 1 and 2
We know from Lagrange’s Theorem that the order of a subgroup of a finite group G must divide the order of G. A natural related question is the following: If m ∈ N and m divides |G|, does there exist a subgroup of G of order m? The answer, in general, is no. For example, A4 (of order 12) has no subgroup of order 6. However, there are circumstances in which the answer will be yes. We consider one such situation here and consider three fundamental theorems of the Norwegian mathematician Ludwig Sylow (1832–1918). Before we consider the first theorem, we require a little combinatorial $ % observation. First recall that we can write the binomial coefficient nr as follows: n(n − 1) . . . (n − r + 1) n! n = = r (n − r)! r! 1 · 2...r =
n(n − 1) . . . (n − (r − 1)) r · 1 · 2 . . . (r − 1)
Lemma 4.6.1 Let p be a prime, r, α ∈ N, and (p, r) = 1. Then p does not divide α p r n= . pα Proof. We have α p α r(p α r − 1)(p α r − 2) . . . (p α r − (p α − 1)) p r n= = α p p α · 1 · 2 . . . (p α − 1) p α −1
=r
pα r − k . k
k=1
We want to see that (n, p) = 1. Consider the factors cases:
p α r−k k .
There are two
(a) (p, k) = 1. Then p does not divide p α r − k. (b) (p, k) > 1, say k = p β s where 1 ≤ β < α and (p, s) = 1. Then, pα r − k p β (p α−β r − s) p α−β r − s = = k pβ s s
300 Introduction to Applied Algebraic Systems p α r−k
and p does not divide p α−β r − s. Hence, after cancellation, k is a rational fraction with no factor of p in the numerator. Thus, p cannot divide n. Theorem 4.6.2 (Sylow’s First Theorem) Let G be a group of order p α r, where p is a prime, α ≥ 1 and (p, r) = 1. Then G contains a subgroup of order p α . Proof. Let S denote the set of all subsets of G consisting of exactly p α elements, say S = {S1 , S2 , . . . , Sn } where
pα r n= . pα By Lemma 4.6.1, p does not divide n. Now, for all x ∈ G, we have |xSi | = p α . Hence, for all i = 1, 2, . . . , n and all x ∈ G, there must exist an integer j with xSi = Sj . We clearly have that xSi = xSj ⇒ Si = Sj In addition, for all j with 1 ≤ j ≤ n and for all x ∈ G, we have x(x −1 Sj ) = Sj . Therefore, each element of G defines a permutation of S. Also, for distinct x, y ∈ G, let Si be such that it contains the identity of G, but not the element xy −1 . Clearly such a subset must exist, since r > 1. Then xy −1 Si = Si so that xy −1 does not define the identity permutation and, equivalently, x and y define distinct permutations. In this way, we can consider G as a group of permutations of S. Let the orbits in S under the action of G be O1 , O2 , . . . , Ok and M = |S|. Then M=
k
|Oi |.
i=1
Since p does not divide |S|, there must exist k such that p does not divide |Ok |. Let St be any element of Ok . By the Orbit/Stabilizer Theorem (Theorem 3.9.2), we have |G| = |Ok | · |S(St )| But p does not divide |Ok |, so we must have p α dividing |S(St )|. In particular, that means that p α ≤ |S(St )|. On the one hand, for any element z of St , viewing S(St )z as a right coset of S(St ), we get |S(St )| = |S(St )z|. On the
Groups: Homomorphisms and Subgroups 301
other hand, viewing S(St ) as the stabilizer of St , we must have S(St )z ⊆ St and therefore |S(St )z| ≤ |St | = p α . Consequently, |S(St )| = |S(St )z| ≤ p α and we have equality |S(St )| = p α . Thus S(St ) is a subgroup of order p α and the proof is complete. If |G| = p α r where p is a prime and (p, r) = 1, then any subgroup H of G of order p α is called a Sylow p-subgroup of G. By Theorem 4.6.2, we know that such subgroups always exist. Example 4.6.3 |S3 | = 6. By Sylow’s First Theorem, S3 has subgroups of orders 2 and 3. These are easy to recognize. For example, A = { , (1 2 3), (1 3 2)} is a subgroup of order 3 and B1 = { , (1 2)} B2 = { , (1 3)} B3 = { , (2 3)} are all subgroups of order 2. Now A is the only subgroup of S3 of order 3, so that we see immediately that a finite group may have a unique Sylow p-subgroup for some prime p and several Sylow p-subgroups for other primes. We are now ready to give the generalization of Lemma 4.4.2 that was promised. Corollary 4.6.4 (Cauchy’s Theorem) Let G be a finite group and p be a prime dividing |G|. Then G contains an element of order p. Proof. Let H be a Sylow p-subgroup of G and a ∈ H , a = e. Then the order of a must divide the order of H . Since |H | = p α , for some α ∈ N, we must β−1 have |a| = p β for some β ∈ N, α ≤ β. Then, a p has order p. Now suppose that H is a Sylow p-subgroup of a finite group G and that a ∈ G. Then |aHa −1 | = |H | so that aHa −1 must also be a Sylow p-subgroup of G. In other words, any conjugate of a Sylow p-subgroup is also a Sylow p-subgroup. As we shall soon see, this is the only way to obtain “new” Sylow p-subgroups. However, once again we require a preliminary counting lemma. Lemma 4.6.5 Let H and K be subgroups of a group G and define a relation ∼ on G by a ∼ b ⇐⇒ ∃ h ∈ H , k ∈ K
with
b = hak.
302 Introduction to Applied Algebraic Systems
Then, ∼ is an equivalence relation. For any a ∈ G, the ∼ class of a is HaK . Proof. Exercise
The subsets of the form HaK that show up as the equivalence classes under ∼ are sometimes referred to as double cosets. Since the double cosets with respect to two subgroups are classes of an equivalence relation, it follows that any two are either identically equal or disjoint. However, double cosets are not quite as “regular” as the usual cosets, in the sense that different double cosets may have different sizes. Example 4.6.6 Let H = { , (1 2)}, K = { , (1 3)} in S3 , and let a = (2 3). Then HaK = { , (1 2)} (2 3) { , (1 3)} = {(2 3), (2 3)(1 3), (1 2)(2 3), (1 2)(2 3)(1 3)} = {(2 3), (1 2 3), (1 2 3), (2 3)} = {(2 3), (1 2 3)}. However, since (1 2) ∈ H , H (1 2)K = HK = { , (1 2)} { , (1 3)} = { , (1 3), (1 2), (1 2)(1 3)} = { , (1 2), (1 3), (1 3 2)}. Thus, S3 = H (2 3)K ∪ H (1 2)K where |H (2 3)K | = 2,
|H (1 2)K | = 4.
Theorem 4.6.7 (Sylow’s Second Theorem) Let G be a finite group and p be a prime with p |G|. Let H and K be Sylow p-subgroups of G. Then H and K are conjugate in G. Proof. Let |G| = p α r where α ∈ N and (p, r) = 1. Then |H | = |K | = p α . Let the distinct double cosets of H and K in G be Hx1 K , Hx2 K , . . . , Hxn K
Groups: Homomorphisms and Subgroups 303
where xi ∈ G. Now every double coset Hxi K is a union of left cosets of K . So the number of left cosets of K in Hxi K is, by Proposition 4.1.12, just |H | · |xi Kxi−1 | pα |Hxi K | = = pα p α di di
(4.4)
where di = |H ∩ xi Kxi−1 |. The total number of left cosets of K in G is p α r/p α = r. Hence, from (4.4), we have r=
n pα i=1
di
.
But, (p, r) = 1, so there must exist some i with di = p α . Without loss of generality, we can take i = 1. Then H ∩ x1 Kx1−1 ⊆ H and |H ∩ x1 Kx1−1 | = d1 = p α = |H |. Thus, H ∩ x1 Kx1−1 = H . But we also have |xKx1−1 | = p α = |H |. Therefore, H = x1 Kx1−1 and H and K are conjugate subgroups.
The situation in which a group has unique Sylow p-subgroups deserves special mention. Corollary 4.6.8 Let p be a prime number that divides the order of the finite group G. Then G has just one Sylow p-subgroup if and only if it has a normal Sylow p-subgroup. Proof. First suppose that P is a unique Sylow p-subgroup of G. Since any conjugate of P would also be a Sylow p-subgroup, it follows that P = xPx −1 , for all x ∈ G, and therefore P is normal.
304 Introduction to Applied Algebraic Systems
Conversely, suppose that P is a normal Sylow p-subgroup of G. Then the only conjugate of P is P itself and, therefore, by Sylow’s Second Theorem, P is the unique Sylow p-subgroup. For example, S3 has a unique Sylow 3-subgroup H = { , (1 2 3), (1 3 2)}, which is normal in S3 but has three Sylow 2-subgroups listed in Example 4.6.3. By Theorem 4.6.7, these Sylow 2-subgroups must be conjugate. In Section 4.9, we will take a closer look at finite groups in which every Sylow subgroup is normal. Exercises 4.6 1. Find the unique Sylow 2-subgroup of A4 . 2. Find all Sylow 3-subgroups of A4 . Show that they are conjugate. 3. Let N be a normal subgroup of a group G and a ∈ G be an element of order 2. Show that N ∪ Na is a subgroup of G. 4. Find all the Sylow 2-subgroups of S4 and show that they are conjugate. (Hint: Use Exercise 3 in this section and the fact that the Sylow 2-subgroup of A4 found in Exercise 1 in this section is normal in S4 .) 5. Let G be a group of order p α r where p is a prime, r ∈ N, and (p, r) = 1. Let H be a subgroup of G of order p β where β ≤ α. Show that H ⊆ P, for some Sylow p-subgroup P. (Hint: Adapt the proof of Sylow’s Second Theorem.) 6. Let H , K be subgroups of a group G and define the relation ∼ on G by a ∼ b ⇐⇒ ∃ h ∈ H , k ∈ K
with
b = hak.
Show that ∼ is an equivalence relation on G and that the ∼ class containing a is HaK . 7. Let H = (1 2 3) and K = (1 2)(3 4) in A4 . Determine the classes of the relation ∼ as defined in Exercise 6. 8. Let H be a subgroup of a group G and define a relation ∼ on the set S of all subgroups of G by A ∼ B ⇐⇒ ∃ h ∈ H
with
B = hAh −1 .
Show that ∼ is an equivalence relation on S . 9. Let p be a prime and G be a finite group such that the order of every element in G is a power of p. Show that G is a p-group.
Groups: Homomorphisms and Subgroups 305
4.7 Sylow’s Third Theorem
Sylow’s Third Theorem gives us information regarding the number of Sylow subgroups that may occur in a finite group. This is extremely valuable information in the search for features of a group, such as normal subgroups, that might be used in the analysis of a group’s structure. Theorem 4.7.1 (Sylow’s Third Theorem) Let G be a group of order p α r where p is a prime, α, r ∈ N, and (p, r) = 1. Then the number of Sylow p-subgroups is of the form 1 + kp, for some integer k, and divides r. Proof. If there is only one Sylow p-subgroup, then we can take k = 0 and the claim holds trivially. So suppose that there is more than one and let P be one of them. By Theorem 4.6.7 (Sylow’s Second Theorem), the Sylow p-subgroups of G are then just the conjugates of P. By Lemma 4.5.5 (ii), the number of distinct conjugates of P is [G : NG (P)] which is a number that divides |G|. To see that the number of Sylow p-subgroups is of the form 1 + kp, let the Sylow p-subgroups other than P be P1 , P2 , . . . , Pm . We will show that p divides m. Define a relation ∼ on P = {P1 , . . . , Pm } by Pi ∼ Pj ⇐⇒ ∃ x ∈ P
with
Pj = xPi x −1 .
Note that only elements from P are used here to determine the relation ∼. It is again straightforward to verify that ∼ is an equivalence relation on P . Let the equivalence classes be O1 , O2, . . . , OK . Then m=
K
|Oi |.
i=1
Let Pi ∈ Oi and " # S(Pi ) = x ∈ P|xPi x −1 = Pi . Clearly S(Pi ) is a subgroup of P and, just as in the Orbit/Stabilizer Theorem (Theorem 3.9.2), we have |P| = |Oi | · |S(Pi )|.
306 Introduction to Applied Algebraic Systems
Thus |Oi | divides p α . Suppose that there exists an orbit Oi with just a single element, Oi = {Pi }. Then Pi = xPi x −1 , for all x ∈ P. Therefore, P ⊆ NG (Pi ). Then, P and Pi are both subgroups of NG (Pi ). Hence, p α = |P| = |Pi | divides |NG (Pi )|. However, p α is the largest power of p dividing |G|, so it must also be the largest power of p dividing |NG (Pi )|. Therefore, P and Pi are Sylow p-subgroups of NG (Pi ). Invoking Sylow’s Second Theorem, we may assert the existence of h ∈ NG (Pi ) with P = hPi h −1 . But, h ∈ NG (Pi ). Consequently, hPi h −1 = Pi and therefore P = Pi . This contradicts the assumption that P and Pi are distinct. It follows that |Oi | > 1, for all i and therefore that |Oi | = p αi for some integer αi > 0 . Hence we have m=
K
p αi = kp
i=1
for some integer k. Therefore, when we add 1 to include P we find that the total number of Sylow p-subgroups is of the form 1 + kp. From the beginning of the proof, we know that 1 + kp must divide |G| = p α r. However, 1 + kp and p are relatively prime. Therefore 1 + kp must divide r. If p is a prime dividing the order of a group G, then we denote by sp the number of Sylow p-subgroups in G. The Sylow theorems enable us to gather a wealth of information regarding groups of small order. Example 4.7.2 Let |G| = 48 = 24 · 3. Then, s2 = 1 + k2 and divides 3. Therefore, s2 = 1 or 3. Also, s3 = 1 + k3 and divides 16. Therefore, s3 = 1, 4, or 16. Example 4.7.3 Let |G| = 1225 = 52 · 72 . Then, s5 = 1 + k5 and divides 72 , so that s5 = 1. Similarly, s7 = 1 + k7 and divides 52 so that s7 = 1 as well. Thus, G has a unique normal Sylow 5-subgroup P5 , say, and a unique normal Sylow 7-subgroup, P7 , say, where |P5 | = 52 and |P7 | = 72 . Hence, P5 ∩ P7 = {e} and, by Proposition 4.1.12, |P5 P7 | =
52 · 72 |P5 | · |P7 | = = |G|. |P5 ∩ P7 | 1
Thus, G = P5 P7 and G is the internal direct product of P5 and P7 . By Theorem 4.3.3, G ∼ = P5 × P7 . Now |P5 | = 52 so that, by Exercise 7 in section 4.5, P5 is abelian. Likewise P7 is abelian, and therefore G itself is abelian. Example 4.7.4 Let |G| = 15. In this example we can go even further than in the previous one. We have s3 = 1 + k3 and must divide 5, so that s3 = 1.
Groups: Homomorphisms and Subgroups 307
Likewise s5 = 1 + k5 and divides 3, so that s5 = 1. Thus, G has a unique normal Sylow 3-subgroup P3 , say, and a unique normal Sylow 5-subgroup P5 , say. As in the previous example, P3 ∩ P5 = {e} so that G is the internal direct product of P3 and P5 . Hence, G ∼ = P3 × P5 . Now, |P3 | = 3 and |P5 | = 5 so that both P3 and P5 are cyclic; P3 ∼ = Z3 and P5 ∼ = Z5 . Thus, ∼ ∼ G = Z3 × Z5 = Z15 . The observations in these examples concerning direct products of Sylow p-subgroups generalize nicely to a powerful theorem. αm where, for Theorem 4.7.5 Let G be a finite group with |G| = p1α1 · · · pm 1 ≤ i ≤ m, the pi are distinct prime numbers and αi ∈ N. Suppose that for each i, there exists a unique (normal ) Sylow pi -subgroup Pi . Then G is isomorphic to
P1 × P2 × · · · × Pm . Proof. Let t be such that 1 ≤ t ≤ m. Since each Pi is normal in G, it follows that P1 P2 · · · Pt is also a normal subgroup of G (Exercise 10 in section 4.1). We will show by induction on t that |P1 P2 . . . Pt | = |P1 | · |P2 | . . . |Pt |. The claim is trivially true for t = 1. So suppose that it holds for t − 1. Then α
t −1 , |P1 . . . Pt −1 | = p1α1 . . . pt −1
|Pt | = ptαt
from which it follows that P1 . . . Pt −1 ∩ Pt = {e}. Hence, by Proposition 4.1.12 and the induction hypothesis, |P1 P2 . . . Pt | = |(P1 P2 . . . Pt −1 )Pt | =
|P1 P2 . . . Pt −1 | · |Pt | |P1 P2 . . . Pt −1 ∩ Pt |
= |P1 | |P2 | . . . |Pt −1 | · |Pt |. By induction, we have |P1 P2 . . . Pm | = |P1 | . . . |Pm | = |G|.
(4.5)
308 Introduction to Applied Algebraic Systems
Therefore, P1 P2 . . . Pm = G. In addition, the argument that led to (4.5) will also show that Pi ∩ P1 . . . Pi−1 Pi+1 . . . Pm = {e} for all 1 ≤ i ≤ m. Hence, G is the internal direct product of the Pi and therefore, by Exercise 3 in section 4.3, the proof is complete. Example 4.7.6 Let |G| = 52 · 7 · 19 = 3325. Then G has a unique (normal) Sylow 5-subgroup P5 , Sylow 7-subgroup P7 , and Sylow 19-subgroup P19 . Therefore, G∼ = P5 × P7 × P19 . Since |P5 | = 52 , |P7 | = 7, and |P19 | = 19, these are all abelian groups and therefore G is also abelian.
Exercises 4.7 1. Let G be a group of order 24 72 . How many Sylow 2-subgroups and Sylow 7-subgroups might it have? 2. Let G be a group of order 20. Show that G has a proper nontrivial normal subgroup. 3. Let G be a group of order 225. Show that G has a proper nontrivial normal subgroup. 4. Let G be a group of order pq, where p and q are distinct primes. Let G have a unique Sylow p-subgroup P and a unique Sylow q-subgroup Q. Show that G is the internal direct product of P and Q. Deduce that G is cyclic. 5. Let G be a group of order 35. Show that G is cyclic. 6. Let G be a group of order p α r, where p is a prime, r ∈ N, and r < p. Show that G has a proper nontrivial normal subgroup. 7. Let p be a prime dividing the order of a group G. Show that the intersection of all the Sylow p-subgroups is a normal subgroup of G. 8. Let G be a group of order p α r with X = {P1 , P2 , . . . , Pk } as its set of Sylow p-subgroups. For each element g ∈ G, define a mapping αg : X → X , by αg (Pi ) = gPi g −1 . (i) Show that αg is a permutation of X . (ii) Show that the mapping α : g → αg is a homomorphism of G into SX . (iii) Show that α(G) acts transitively on X .
Groups: Homomorphisms and Subgroups 309
4.8 Solvable Groups
The commutator of the elements x, y in a group is the element [x, y] = x −1 y −1 xy. Note that xy = yx[x, y] so that, in some sense, the commutator [x, y] reflects or measures the extent to which the elements x and y do not commute. The subgroup generated by all the commutators of a group G is the commutator subgroup or the derived subgroup. It is denoted variously by [G, G] or G or G (1) . We begin with some simple observations concerning commutators. First, the inverse of a commutator is a commutator: [x, y]−1 = (x −1 y −1 xy)−1 = y −1 x −1 yx = [y, x]. Therefore, the inverse of a product of commutators is still just a product of commutators. Hence the commutator subgroup is generated simply by forming all products of commutators without regard to inverses: [G, G] = {c1 c2 · · · cm | ci is a commutator}. Also, any conjugate of a commutator is a commutator: a −1 [x, y]a = a −1 x −1 y −1 xya = a −1 x −1 aa −1 y −1 aa −1 xaa −1 ya = [a −1 xa, a −1 ya]. Consequently, for any commutators c1 , . . . , cm , a −1 c1 · · · cm a = a −1 c1 aa −1 c2 a · · · a −1 cm a = c1 c2 · · · cm
where each ci = a −1 ci a is a commutator. Hence, a −1 [G, G]a ⊆ [G, G]
for all a ∈ G
which establishes the following lemma. Lemma 4.8.1 [G, G] is a normal subgroup of G. It is on account of the next result that the commutator subgroup is so important.
310 Introduction to Applied Algebraic Systems
Theorem 4.8.2 Let N be a normal subgroup of a group G. Then the following statements are equivalent: (i) G/N is abelian. (ii) [G, G] ⊆ N . In particular, G is abelian if and only if [G, G] = {e}. Proof. We have G/N is abelian ⇐⇒ NxNy = NyNx
∀ x, y ∈ G
⇐⇒ Nxy = Nyx
∀ x, y ∈ G
⇐⇒ (Nyx)−1 Nxy = N
∀ x, y ∈ G
⇐⇒ Nx −1 y −1 xy = N
∀ x, y ∈ G
⇐⇒ [x, y] = x −1 y −1 xy ∈ N
∀ x, y ∈ G
⇐⇒ [G, G] ⊆ N .
Theorem 4.8.2 tells us that [G, G] is the smallest normal subgroup of G such that the quotient is abelian. So it should come as no surprise that the quotient G / [G, G] should, in a certain sense, be the largest abelian homomorphic image of G. We make this precise, as follows. Lemma 4.8.3 Let ϕ : G → H be an epimorphism from a group G to an abelian group H . Let π : G → G / [G, G] be the natural homomorphism. Then there exists an epimorphism θ : G / [G, G] → H such that θπ = ϕ. ϕ
G π
-H 3
θ
? G / [G, G]
Proof. By the First Isomorphism Theorem, we know that H is isomorphic to G/ ker(ϕ). Since H is abelian, so also is G/ ker(ϕ). By Theorem 4.8.2, this implies that [G, G] ⊆ ker(ϕ). Now define a mapping θ : G / [G, G] → H by θ [G, G]g = ϕ(g ). We have [G, G]g = [G, G]h =⇒ gh −1 ∈ [G, G] ⊆ ker(ϕ) =⇒ ϕ(gh −1 ) = eH =⇒ ϕ(g ) = ϕ(h)
Groups: Homomorphisms and Subgroups 311
from which it follows that θ is indeed well defined. For any elements x = [G, G]g , y = [G, G]g ∈ G / [G, G], θ (xy) = θ [G, G]gg = ϕ(gg ) = ϕ(g ) ϕ(g ) = θ (x) θ(y) so that θ is a homomorphism. Finally, for any h ∈ H , there exists a g ∈ G with ϕ(g ) = h, since ϕ is surjective. Then θ [G, G]g = ϕ(g ) = h. Thus, θ is surjective and, therefore, an epimorphism. Finally, for any g ∈ G, we have θ π(g ) = θ ([G, G]g ) = ϕ(g ). Thus, θπ = ϕ.
The process of forming the derived subgroup can be repeated to yield the derived subgroup of the derived subgroup, and so on. Let us write G (0) = G G (1) = [G, G] = [G (0) , G (0) ] G (2) = [G, G], [G, G] = [G (1) , G (1) ] .. . G (n+1) = [G (n) , G (n) ]. In this way we obtain a descending sequence of subgroups G = G (0) ⊇ G (1) ⊇ G (2) · · · . In a finite group, this sequence must obviously cease to change from some point onward. However, in some infinite groups it will continue indefinitely. Lemma 4.8.4 Let G be a group. Then, for all n ≥ 0, G (n) is a normal subgroup of G. Proof. By Lemma 4.8.1, we know that each G (n) is a subgroup of G. We will show by induction on n that each G (n) is actually a normal subgroup
312 Introduction to Applied Algebraic Systems
in G. Since G (0) = G, the claim is certainly true for n = 0. Now assume that the claim is true for n. Let a, b ∈ G (n) , x ∈ G. Then, by the induction hypothesis, xax −1 = a , xbx −1 = b ∈ G (n) so that x[a, b]x −1 = [xax −1 , xbx −1 ] = [a , b ] ∈ G (n+1) . However, G (n+1) is the subgroup of G generated by elements of the form [a, b] where a, b ∈ G (n) . Hence, xG (n+1) x −1 ⊆ G (n+1) Thus, G (n+1) is normal in G.
for all x ∈ G.
A group G is said to be solvable if there exist normal subgroups Gi , 1 ≤ i ≤ r, such that {e} ⊆ Gr ⊆ Gr−1 ⊆ · · · ⊆ G1 ⊆ G and Gi / Gi+1 is abelian for all i. The class of solvable groups is not only important in the development of group theory, it also plays an important role in the study of the solution of equations by radicals—a central topic in Galois Theory. Theorem 4.8.5 Let G be a group. If G is a finite group then the following conditions are equivalent. If G is an infinite group, then conditions (i), (iii), and (iv) are equivalent: (i) G is solvable. (ii) G has a sequence of subgroups {e} = Gs+1 ⊆ Gs ⊆ · · · ⊆ G1 ⊆ G0 = G such that Gi+1 is a normal subgroup of Gi for i = 0, 1, . . . , s and Gi / Gi+1 is cyclic.
Groups: Homomorphisms and Subgroups 313
(iii) G has a sequence of subgroups {e} = Gs+1 ⊆ Gs ⊆ · · · ⊆ G1 ⊆ G0 = G such that Gi+1 is a normal subgroup of Gi and Gi / Gi+1 is abelian. (iv) There exists an integer n such that G (n) = {e}. Proof. It is clear that, for an arbitrary group, (i) implies (iii) and (ii) implies (iii). Now let G be finite and we will show that (i) implies (ii). By (i), there exists a sequence of subgroups {e} = Gr ⊆ Gr−1 ⊆ · · · ⊆ G1 ⊆ G0 = G where Gi is normal in G and Gi / Gi+1 is abelian, 0 ≤ i ≤ r − 1. Since G is finite, Gi / Gi+1 is a finite abelian group and so, by Corollary 4.4.9, there exists a chain of subgroups {Gi+1 } = Ht ⊆ · · · ⊆ H1 ⊆ H0 = Gi / Gi+1 such that Hj / Hj+1 is cyclic. Let Gi+1, j = {g ∈ G | Gi+1 g ∈ Hj },
0 ≤ j ≤ t.
In other words, Gi+1, j is the preimage of Hj with respect to the natural homomorphism πi : Gi → Gi / Gi+1 so that Gi+1,0 = Gi , Gi+1,t = Gi+1 . Then Gi+1, j is a subgroup of G and Gi+1, j / Gi+1 = Hj . Since Gi / Gi+1 is abelian, Hj is a normal subgroup of Gi / Gi+1 . Hence, as the preimage of Hj under πi , Gi+1, j is a normal subgroup of Gi , and therefore a normal subgroup of Gi+1, j−1 where, by the Third Isomorphism Theorem, Gi+1, j−1 / Gi+1 Gi+1, j−1 / Gi+1, j ∼ = Gi+1, j / Gi+1 ∼ = Hj−1 / Hj
314 Introduction to Applied Algebraic Systems
which is cyclic. Repeating the argument for each i, 1 ≤ i ≤ r − 1, we obtain the sequence of subgroups {e} ⊆ · · · ⊆ Gr−1,1 ⊆ Gr−1,0 ⊆ · · · ⊆ Gi+1 ⊆ · · · Gi+1,j ⊆ · · · Gi+1,0 = Gi · · · ⊆ G0,1 ⊆ G0,0 = G with the required properties. Thus (i) implies (ii). (iii) implies (iv). We will show, by induction on i that G (i) ⊆ Gi , for all i. Since G/G1 is abelian, it follows from Theorem 4.8.2 that G (1) ⊆ G1 so that the claim is true for i = 1. Now suppose that the claim is true for i—that is, G (i) ⊆ Gi . Then, Gi / Gi+1 is abelian so that, again by Theorem 4.8.2, (1) Gi ⊆ Gi+1 . Hence, G (i+1) = [G (i) , G (i) ] ⊆ [Gi , Gi ]
(by the induction hypothesis)
(1)
= Gi
⊆ Gi+1 . Therefore, by induction, G (s+1) ⊆ Gs+1 = {e}. (iv) implies (i). The chain {e} = G (n) ⊆ G (n−1) ⊆ · · · ⊆ G (1) ⊆ G has the required properties.
We conclude the section with one last result that requires volumes to justify and so is far beyond the scope of this book. Theorem 4.8.6 (Feit/Thompson Theorem, 1963) Every group of odd order is solvable. This chapter has been devoted, in large measure, to the study of normal subgroups. Of course, every nontrivial group G has at least two normal subgroups: namely, {e} and G. For some groups there are no others. If G is a nontrivial group and the only normal subgroups of G are {e} and G, then G is said to be simple. By the Feit/Thompson Theorem, the order of any finite simple nonabelian group must be even. The search for a characterization of all finite simple groups was, for many years, the Holy Grail of finite group theory. It was finally considered to be completed in 1983. The proof involved
Groups: Homomorphisms and Subgroups 315
an estimated 15,000 pages in 500 journal articles involving approximately 100 authors. Not surprisingly, it has sometimes been referred to as the enormous theorem. Exercises 4.8 1. Find the derived subgroup of each of the following groups: (i) (ii) (iii) (iv) (v) (vi) (vii)
Any abelian group G. S3 . A4 . S4 . D4 . Q8 . Dn .
2. Show that all groups listed in Exercise 1 are solvable. 3. Let H be a subgroup of a solvable group G. Show that H is solvable. 4. Let G be a solvable group and ϕ : G → H be an epimorphism. Show that H is also solvable. 5. Let G and H be solvable groups. Show that G × H is solvable. 6. Let G be a nontrivial, simple abelian group. Show that there exists a prime p with G ∼ = Zp .
4.9 Nilpotent Groups
We have seen in sections 4.6 and 4.7 that the ability to show that a finite group is the direct product of its Sylow subgroups can be a major step in describing the structure of the group. The class of finite groups with precisely that property will be the focus of this section. By a central series in a group G we mean a series of subgroups {1} = Gn ⊆ Gn−1 ⊆ Gn−2 ⊆ · · · ⊆ G0 = G
(4.6)
such that (i) Gi is normal in G for all i = 0, . . . , n (ii) Gi / Gi+1 ⊆ Z (G/Gi+1 ) for i = 0, 1, . . . , n − 1. The length of the series in (4.6) is n. If the group G has a central series as in (4.6), then it is called a nilpotent group and is said to be of class n if n is the length of the shortest such series. Note that G is nilpotent of class 1 if and only if it is abelian and that, from their respective definitions, it is evident that a nilpotent group must be
316 Introduction to Applied Algebraic Systems
solvable. Thus, abelian =⇒ nilpotent =⇒ solvable. Before coming to the main results concerning nilpotent groups, we need to do some preparatory work with “commutator” subgroups. For any subsets X , Y of a group G, let [X , Y ] = [x, y] | x ∈ X , y ∈ Y . Thus, [X , Y ] is the subgroup generated by all the commutators that can be formed using an element from X and an element from Y . In particular, we should note that X ⊆ Z (G) =⇒ [X , Y ] = {1} since [x, y] = 1 for all x ∈ Z (G). Lemma 4.9.1 Let N and H be subgroups of G with N ⊆ H ⊆ G and N normal in G. (i) H /N ⊆ Z (G/N ) ⇐⇒ [H , G] ⊆ N . (ii) If H is also normal in G, then [H , G] ⊆ H and [H , G] is normal in G. Proof. (i) We have that H /N ⊆ Z (G/N ) ⇐⇒ aN · hN = hN · aN for all h ∈ H , a ∈ G ⇐⇒ ahN = haN for all h ∈ H , a ∈ G ⇐⇒ N = h −1 a −1 haN for all h ∈ H , a ∈ G ⇐⇒ h −1 a −1 ha ∈ N for all h ∈ H , a ∈ G ⇐⇒ [H , G] ⊆ N . (ii) Now suppose that H is a normal subgroup of G. Let h ∈ H and g , x ∈ G. Then, by the normality of H , [h, g ] = h −1 g −1 hg = h −1 (g −1 hg ) ∈ H .
Groups: Homomorphisms and Subgroups 317
Therefore, [H , G] ⊆ H . Also, x[h, g ]x −1 = x(h −1 g −1 hg )x −1 = (xhx −1 )−1 (xgx −1 )−1 (xhx −1 )(xgx −1 ) = a −1 b −1 ab = [a, b] where a = xhx −1 ∈ H
and b = xgx −1 ∈ G.
Thus, x[h, g ]x −1 ∈ [H , G] for all h ∈ H , g ∈ G. Therefore [H , G] is normal in G.
A minor difficulty with the definition of a nilpotent group is that it depends on the existence of a series of subgroups with a certain property with no indication as to how one might find such a series. The following will help to resolve that difficulty. For any group G, the following series of subgroups is known as the lower central series : Z 1 (G) = G, Z 2 (G) = [G, G], Z 3 (G) = [G, G], G = [Z 2 (G), G], . . . , Z n+1 (G) = [Z n (G), G]. Clearly, Z 1 (G) ⊇ Z 2 (G) ⊇ Z 3 (G) ⊇ · · · . In general, this series can be infinite, it can stop at some nontrivial subgroup, or it can stop when it reaches the trivial subgroup. Lemma 4.9.2 Let N be a normal subgroup of a group G and n ∈ N. (i) Z n (G) is a normal subgroup of G. (ii) Z n (G) / Z n+1 (G) ⊆ Z (G/Z n+1 (G)). (iii) Z n (G)N /N ⊆ Z n (G/N ). Proof. (i) Since Z 1 (G) = G, the claim is true trivially for n = 1. Arguing by induction, let us assume that the claim is true for n—that is, that Z n (G) is
318 Introduction to Applied Algebraic Systems
normal in G. Then Z n+1 (G) = [Z n (G), G] and, by Lemma 4.9.1 (ii), Z n+1 (G) is a normal subgroup of G. Part (i) now follows by induction. (ii) By definition, [Z n (G), G] ⊆ Z n+1 (G) and so, by Lemma 4.9.1 (i), we have Z n (G) / Z n+1 (G) ⊆ Z (G/Z n+1 (G)). (iii) The assertion is trivially true for n = 1 and it is possible to proceed by induction. We leave the details for you as an exercise. We can now describe one possible approach to testing whether a group is nilpotent. Theorem 4.9.3 Let G be a group. Then G is nilpotent if and only if there exists an integer n such that Z n (G) = {1}. Proof. First suppose that n is an integer such that Z n (G) = {1}. Then, by Lemma 4.9.2, {1} = Z n (G) ⊆ Z n−1 (G) ⊆ · · · ⊆ Z 1 (G) = G is a central series. Therefore, G is nilpotent. Conversely, suppose that G is nilpotent. Then there exists a central series {1} = Gn ⊆ Gn−1 ⊆ · · · ⊆ G0 = G as in (4.6). We claim that, for each i ≥ 1, Z i (G) ⊆ Gi−1 . For i = 1, we have Z 1 (G) = G = G0 = G1−1 . Thus, the claim is true for i = 1. So suppose that the claim is true for i—that is, that Z i (G) ⊆ Gi−1 . Then, since {Gi } is a central series, Gi−1 / Gi ⊆ Z (G/Gi ). By Lemma 4.9.1 (i), this implies that [Gi−1 , G] ⊆ Gi .
(4.7)
Groups: Homomorphisms and Subgroups 319
Therefore, Z i+1 (G) = [Z i (G), G]
(definition)
⊆ [Gi−1 , G]
(induction hypothesis)
⊆ Gi
(by (4.7)).
Thus, the claim is true for i + 1. Hence, by induction, the claim holds. In particular, with i = n + 1, we obtain Z n+1 (G) ⊆ Gn = {1} so that Z n+1 (G) = {1}.
The next result provides some indication of the complexity of the class of finite nilpotent groups. Lemma 4.9.4 Every finite p-group is nilpotent. Proof. Let G be a finite p-group, say |G| = p α where p is a prime and α ∈ N. We argue by induction on α. If α = 1, then |G| = p so that G is cyclic and abelian and, therefore, nilpotent. So suppose that the claim is true for any group H with |H | = p β where β < α. By the class equation for G, we know that G has a nontrivial center Z (G). If Z (G) = G, then G is abelian and therefore nilpotent. So suppose that {1} ⊂ Z (G) ⊂ G. Then |G/Z (G)| = p β where β < α. Therefore, by the = = induction hypothesis, G/Z (G) is nilpotent. Hence, by Theorem 4.9.3, there exists an integer n such that Z n (G/Z (G)) = {1}. Lemma 4.9.2 (iii) tells us that Z n (G) Z (G)/Z (G) ⊆ Z n (G/Z (G)) = {1} which implies that Z n (G)Z (G) ⊆ Z (G) and therefore that Z n (G) ⊆ Z (G). Hence, Z n+1 (G) = [Z n (G), G] ⊆ [Z (G), G] = {1}. Therefore, G is nilpotent.
320 Introduction to Applied Algebraic Systems
One consequence of Lemma 4.9.4 is that every Sylow p-subgroup of a finite group is nilpotent, so we now take a closer look at Sylow p-subgroups. Lemma 4.9.5 Let P be a Sylow p-subgroup of a finite group G. Then NG (P) is its own normalizer—that is, NG (NG (P)) = NG (P). Proof. Let g ∈ G. Then, g ∈ NG (NG (P)) =⇒ gNG (P)g −1 = NG (P) =⇒ gPg −1 ⊆ gNG (P)g −1 ⊆ NG (P) =⇒ gPg −1 is a Sylow p-subgroup of NG (P) =⇒ gPg −1 is conjugate to P in NG (P) (by Theorem 4.6.7) =⇒ gPg −1 = aPa −1 for some a ∈ NG (P) =⇒ gPg −1 = P since a ∈ NG (P) =⇒ g ∈ NG (P). Therefore, NG (NG (P)) ⊆ NG (P) whereas the reverse containment is obvious. It is possible for a proper subgroup to be equal to its own normalizer (see the exercises). However, this will never happen in a nilpotent group. Lemma 4.9.6 Let H be a proper subgroup of the nilpotent group G. Then H is also a proper subgroup of NG (H ). Proof. Since G is nilpotent, there exists an integer n ∈ N with Z n (G) = {1}. Since Z 1 (G) = G, it follows that there must exist an integer i with Z i+1 (G) ⊆ H
but
Z i (G) ⊆ H .
Then, [Z i (G), H ] ⊆ [Z i (G), G] = Z i+1 (G) ⊆ H . Therefore, for any g ∈ Z i (G), h ∈ H we have g −1 hg = g −1 hgh −1 h = [g , h −1 ]h
Groups: Homomorphisms and Subgroups 321
∈ [Z i (G), H ]h ⊆ Hh = H. Hence, Z i (G) ⊆ NG (H ) so that H is a proper subgroup of NG (H ).
We are now ready for the characterization of finite nilpotent groups in terms of their Sylow subgroups. α
Theorem 4.9.7 Let G be a finite group with |G| = p1α1 · · · pk k where the pi are distinct primes. Then the following statements are equivalent: (i) (ii) (iii) (iv)
G is nilpotent. For each i, G has a unique Sylow pi -subgroup, Pi say. Every Sylow subgroup of G is normal in G. G∼ = P1 × P2 × · · · × Pk where, for each i, Pi is the unique Sylow pi -subgroup of G.
Proof. (i) implies (ii). Let P be any Sylow subgroup of G. By Lemma 4.9.5, we have NG (NG (P)) = NG (P). But, by Lemma 4.9.6, we know that NG (P) is a proper subgroup of NG (NG (P)) unless NG (P) = G. Hence, to avoid a contradiction, we must have NG (P) = G. Thus every Sylow subgroup of G is normal and therefore unique. (ii) and (iii) are equivalent. This follows immediately from Corollary 4.6.8. (ii) implies (iv). This follows immediately from Theorem 4.7.5. (iv) implies (i). This is left for you as an exercise. Exercises 4.9 1. Which of the following groups are nilpotent? (i) (ii) (iii) (iv) (v)
Zn . S3 . Q8 . D4 . D5 .
2. Find the normalizer of each subgroup in S3 . 3. Show that every subgroup of a nilpotent group is nilpotent.
322 Introduction to Applied Algebraic Systems
4. Show that any homomorphic image of a nilpotent group is nilpotent. 5. Let P1 , . . . , Pn be nilpotent groups. Show that P1 × P2 × · · · × Pn is nilpotent.
4.10 The Enigma Encryption Machine
Recall that a substitution cipher is one in which the encoding process is determined by a permutation of the letters of the alphabet. Such a scheme, based on a single permutation, applied to a complete message, would be considered extremely insecure these days. However, there was one fairly recent and historically very important substitution cipher that was based on refinements of this idea. It was called the Enigma. The scheme was designed by German engineer Arthur Scherbius at the end of World War I, around 1918. The basic model was used commercially and by the German armed forces between the two world wars. Various cryptographic improvements were introduced by the German armed forces prior to and during the World War II. The cipher was implemented by means of a very ingenious machine (the Enigma Machine) that consisted of a mechanical keyboard, a plugboard, an entry wheel, three (sometimes four) rotors, a reflection board, and a lamp board together with a battery and some wired circuits that connected the components. Figure 4.1 contains a photograph of an Enigma Machine with three rotors. The entry wheel, rotors, and reflection board were on the one shaft or axle and touching each other via pins and contact plates. The 26 letters
Figure 4.1 Enigma Machine This is a standard German military (3-wheel, with plugboard) Enigma machine, from the Collection in the Museum of the Government Communications Headquarters (GCHQ), the United Kingdom’s Signals Intelligence Agency and is used by the permission of the Director, GCHQ; UK Crown Copyright Reserved.
Groups: Homomorphisms and Subgroups 323
of the alphabet were equally spaced round the rim of each rotor, and there was a small window for each rotor through which one letter of the alphabet was visible. The entry and reflection boards were fixed, but the rotors could rotate through the 26 positions corresponding to the letters of the alphabet, and whichever letter was visible on a rotor then identified the position of that rotor. The order in which the three rotors were positioned on the shaft was variable, with six possible arrangements in all. Each rotor had 26 small contact plates on one side and 26 spring loaded brass pins on the other, with the pins of one rotor contacting the plates of the neighboring rotor. Each plate and pin on a rotor corresponded to a letter of the alphabet and internal wiring in each rotor connected the plates to the pins in a scrambled manner that was different for each rotor. In that way, an electrical current entering the a plate, for instance, might flow to the k pin, so that each rotor implemented a substitution cipher. The plugboard implemented a simple substitution cipher consisting of a series of as many as 13, but usually 6–10, pairings of letters. If f was paired with q, then the plugboard would replace f by q and q by f . Some letters would remain unpaired and therefore be transmitted to the next stage unchanged. Thus viewed as a permutation P, the plugboard consisted of a product of disjoint 2-cycles. The actual pairings in the plugboard were not fixed, but were set by the operator each day simply by plugging in (hence the name “plugboard”) connecting cables between the sockets corresponding to each set of paired letters, rather like an old-fashioned telephone switchboard. The introduction of the plugboard complicated the task of the cryptanalyst as it increased the total number of available encryption codes by an enormous factor. The contribution of the reflection board was twofold. First it applied a substitution cipher consisting, like the plugboard, of a series of pairings of letters, but here the pairings were fixed and did not vary from day to day. Also the pairings included the whole alphabet. So the reflection board could be described as a permutation M consisting of a product of 13 disjoint 2-cycles. The second function of the reflection board was to act a bit like a mirror and send the resulting letter back through the rotors and plug board in reverse order. In the early commercial versions, the entry wheel also involved an encryption based on the arrangement of keys on a keyboard: a to q, b to w, c to e, and so on. So it was natural to assume that the military version would also involve an encrypting entry wheel. This caused quite some delay in the analysis of the Enigma encryption until it was realized that the entry wheel in the military version involved no encryption. Since a composition of substitution ciphers is still a substitution cipher, the entry wheel, three rotors, and reflection plate all constituted one complex substitution cipher. What moved this beyond being just a simple substitution cipher was the fact that the overall configuration was constantly being changed. The starting positions of the plug board and rotation wheels were determined each day by a code book that was distributed monthly. Then the position of the rotors would change with each letter so that successive letters were encoded according to different encryption schemes. This constant change was achieved in a manner similar to that in which the digits change in an odometer
324 Introduction to Applied Algebraic Systems
in a car. The first rotor rotated one twenty-sixth of a revolution with every letter typed, the second rotor would then turn one twenty-sixth after each full rotation of the first rotor and the third rotor would turn one twenty-sixth after each full rotation of the second rotor. However, this pattern was not followed exactly, since there was also a feature that resulted in the second and third rotors occasionally moving through two twentysixths, instead of just one twentysixth of a revolution. We will ignore this added twist in our discussion. In addition, in later versions, the three or four rotors would be chosen each day from a set of six, seven or eight available rotors. Since the three chosen rotors could be placed in any order, even once the daily choice of rotors and the configuration of plugboard were known, the rotors themselves provided 6 × 26 × 26 × 26 = 105, 456 different encryption schemes so that a message would have to contain over 105,456 letters before the same scheme would be used twice. So, the parts that contributed to the encryption were: the plugboard: P the rotors: R1 , R2 , R3 the reflection board:M . Any letter entered on the keyboard would be encrypted successively by the plug board, the rotors in the order R1 , R2 , R3 , followed by the reflection board which would send the result back through the rotors in reverse order, R3 , R2 , R1 , then to the plugboard once more, at the end of which a bulb would light up on the lampboard (there being one bulb for each letter of the alphabet) indicating the final encrypted output. Thus the basic encryption, omitting for the moment the rotating feature of the rotors, was obtained as the composition of nine individual encryptions and can be represented as the product of the corresponding permutations as
Figure 4.2 Enigma encryption scheme
Groups: Homomorphisms and Subgroups 325
(where, since we write our functions on the left, the product should be read from right to left): E = P −1 R1−1 R2−1 R3−1 MR3 R2 R1 P. The action of the reflecting board gave the Enigma scheme three interesting properties. First, the decryption process was exactly the same as the encryption process. In other words, for any letter x, EE(x) = x, that is, as a permutation, E is of order two. That meant that the operator could use the same settings for both sending and receiving messages. It also meant that, if the Enigma machine encrypted a as t , then it encrypted t as a and so on. In addition, no letter would ever be left fixed by the encryption process: E(x) = x, for all letters x. In other words, E itself, as a permutation, had to be a product of 13 disjoint 2-cycles. These latter two features proved to be a serious weakness in the security of the Enigma encryption as they imposed some structure on the encryption process that aided cryptanalysis and eliminated many possible configurations from the calculations of the Polish and British cryptanalysts. Polish mathematicians, led by M. Rejewski, were able to determine the wiring of the first three rotors prior to the commencement of World War II. We will now consider some of the important mathematical features that made this possible. In order to see the effect of rotating the first rotor through 1/26th of a revolution, consider first the effect on the encryption of the letter a in the initial position. Suppose that R1 (a) = p, R1 (z) = t . Then the action of the first rotor is illustrated in Figure 4.3. After R1 is rotated through 1/26th of a rotation clockwise, the situation changes to that illustrated in Figure 4.4. Let S = (abc . . . yz), the permutation consisting of one cycle of length 26. Then a → u = S(t ) = SR1 (z) = SR1 S −1 (a). Thus the first rotor now encrypts a as SR1 S −1 (a). Clearly the same reasoning applies to any letter, so that after a rotation through 1/26th of a revolution
Figure 4.3 Encryption by R1 before rotation
326 Introduction to Applied Algebraic Systems
Figure 4.4 Encryption by R1 after rotation
the first rotor now encrypts the whole alphabet via SR1 S −1 . Repeating the argument, we see that if the first rotor has been rotated through 1/26ths of a revolution, then the resulting encryption from the first rotor will be S i R1 S −i . Extending the above argument to all the rotors, assuming that at some point in a transmission the rotors had been moved respectively i, j and k times, then the resulting encryption for that letter would be given by: Eijk = P −1 S i R1−1 S −i S j R2−1 S −j S k R3−1 S −k MS k R3 S −k S j R2 S −j S i R1 S −i P. A protocol introduced by the German armed forces turned out to be the System’s Achilles heel. By this protocol, the Enigma operators would choose their own starting position for the rotors. The problem was that they had to communicate to their recipients what that starting position would be. That was done by sending the three letters representing the starting position of the three rotors twice. So if the starting position was going to be abc, then the operator would send abcabc (which we will refer to as a prefix) encoded using the prescribed starting position for that day, according to the code book. The message that followed would then be sent using abc as the starting positions for the three rotors. The objective in sending the prefix with the duplication of the three letters was to ensure that they were properly received. The unintended consequence was the introduction of a fatal weakness in the procedure. All the transmitting stations would be using the same standard position for the transmission of these first six letters. By piecing together the transmissions from many different stations on a given day, Rejewski could see the resulting encryptions of many different letters being repeated. Let us denote the resulting encryptions that were being applied to these first six letters by A, B, C, D, E, and F . As before, each of these encryptions is of order two. If the operator was encrypting abcabc, then the transmission would consist of A(a), B(b), C(c), D(a), E(b), F (c). Suppose now that there was another prefix from another station that began with D(a). Then that must come from a prefix of the form pqrpqr where A(p) = D(a) = DA(A(a)). Now add a third prefix uvwuvw starting with A(u) = D(p). We now have A(u) = D(p) = DA(A(p)) =
Groups: Homomorphisms and Subgroups 327
DA(DA(A(a))). Thus we are building up the cycle in the permuation DA starting with A(a) : (A(a) DA(A(a)) (DA)2 (A(a)) . . .). With enough messages to work with on a given day, Rejewski was able to determine, from the encoded prefixes, all the cycles of the permutations DA, EB, and FC. The next step was to extract the individual permutations A, B, Cand so on from these products. As it turned out, finding just one correct encryption A(x) of any letter x could provide a great deal of information about A, B, C, . . . Recall that the permutations A, B, C, . . . are all products of 13 disjoint transpositions. So, if A(a1 ) = b1 , for instance, then that means that (a1 b1 ) is one of the transpositions in A. It also means that a1 and b1 belong to different cycles in DA (see exercises). Let the disjoint cycles in DA containing a1 and b1 be α = (a1 a2 . . . am ),
β = (b1 b2 . . . bn )
respectively. Then, for any x = ai or bj , DA(x) = βα(x) = αβ(x). Hence D(a1 ) = DA(b1 ) = αβ(b1 ) = b2 . Since D is a product of disjoint 2-cycles, (a1 b2 ) must be one of those 2-cycles. Furthermore, DA(am ) = αβ(am ) = a1 = D(b2 ) = DA(A(b2 )) which, since DA is a permutation, implies that A(b2 ) = am , so that (am b2 ) is a cycle of A. Continuing in this way, D(am ) = D(A(b2 )) = αβ(b2 ) = b3 and DA(A(b3 )) = D(b3 ) = am = αβ(am−1 ) = DA(am−1 ) so that (am b3 ) is a 2-cycle in D and (am−1 b3 ) is a 2-cycle in A. Thus, the pattern emerges and we see that if we just line up the cycle α above the inverse of the cycle β and line up a1 with b1 for A and a1 with b2 for D then we can read off all the other cycles in A and D. In particular, we see that the cycles α and β must have the same length, m = n. Thus writing (a1 a2 . . . am )
(a1 a2 . . . am )
(b1 bm . . . b2 )
(b2 b1 . . . b3 )
we can read off A = (a1 b1 )(a2 bm ) . . . (am b2 ) B = (a1 b2 )(a2 b1 ) . . . (am b3 )
328 Introduction to Applied Algebraic Systems
That means that the cycles in DA must pair off into cycles of equal length and to find the individual permutations A and D, it suffices to find one single value of A in each pair of cycles of DA. The same approach applies to the permutations B, C, D, E, and F . The key to this was Rejewski’s intuition that certain prefixes, such as aaaaaa, abcabc, possible names of girl friends and so on would be especially popular. A combination of trial and error and intelligent guessing yielded up the values of A, B, C, D, E, and F and therefore the settings for the day. Satisfying as this must have been, it was only the first hurdle. Knowing only the permutations A, . . . , F would not enable the decryption of whole messages. For that it would still be necessary to find the values of P, R1 , R2 , R3 , and M . Rejewski knew the value of A = P −1 SR1−1 S −1 R2−1 R3−1 MR3 R2 SR1 S −1 P. French espionage had managed to obtain the standard daily settings (including the value of P) for a period of two months in 1932 and had given them to the Polish secret service. Hence the value U = R1−1 S −1 R2−1 R3−1 MR3 R2 SR1 = S −1 PAP −1 S was also now known. Similarly, the following permutations could be calculated from B, C and D, respectively: V = R1−1 S −2 R2−1 R3−1 MR3 R2 S 2 R1 W = R1−1 S −3 R2−1 R3−1 MR3 R2 S 3 R1 X = R1−1 S −4 R2−1 R3−1 MR3 R2 S 4 R1 . Now let T = R1−1 SR1
(4.8)
Then it was quite straightforward to calculate that WV = T −1 (VU )T
and
XW = T −1 (WV )T .
(4.9)
From the knowledge of U , V , W and X it was possible to calculate the permutations VU, WV and XW. It was at this point that Theorem 4.5.2 played a critical role. Using the technique in Theorem 4.5.2, it was possible to extract the value of R1 from these equations. In order to solve the above equations, it is sufficient to be able to find, for any two conjugate permutations ρ, σ in Sn a permutation γ such that ρ = γ −1 σ γ . The proof of Theorem 4.5.2 tells us exactly how to do that. Since the permutations ρ and σ are conjugate, they have the same cycle pattern and so we may write them one above the other in
Groups: Homomorphisms and Subgroups 329
such a way that cycles that are above each other are of equal length. We can then read off a conjugating element. However, since a cycle can be written in many different ways and there may be more than one cycle of the same length, there was still the question of finding the correct conjugating element. At the first step, solving (4.9), there are two equations and so the solution had to work for both equations and, it turned out, that that sufficed to guarantee a unique solution. Then in order to complete the final step of solving (4.8) for R1 , there are only 26 possible ways to position S overT , since S is a permutation with just one cycle of length 26. So trial and error would suffice, although Rejewski claimed to have some additional tricks that would reduce the work involved at this stage. By a stroke of good luck, the daily starting configurations provided by the French covered a period where the positioning of the three rotors was changed. Consequently the above methods could be employed again to provide the wiring/encoding of a second rotor and from the knowledge of two of the rotors it was possible to deduce the wiring of the third and the reflection board. The Polish mathematicians passed this information on to the British on the eve of the war. From their center at Bletchley Park, the British then mounted a continual and growing attack on German communications throughout the war. It is claimed that the success of these efforts shortened the war by as many as two years. This work was led by Alan Turing, who is renowned for his fundamental contributions to the theory of computing and is known to many as the father of computing. Despite suspicions of security leaks, the Germans never doubted the security of the Enigma. Their confidence appears to have been based on the enormous number (approximately 3 × 10114 , see [Mil]) of possible configurations of the various settings. For details on the contributions of the various components in the Enigma machine to the total number of possible configurations, see [Mil]. For background on the vital Polish contribution to the cracking of the code and the critical role played by the theory of permutations, see [Rej]. For more information on the history of the Enigma machine, the workings of Bletchley Park and Turing’s life, see [Hod]. The author gratefully acknowledges having consulted with the GCHQ Historian regarding the history of the Enigma. This and the provision of the photograph in Figure 4.1 should not be taken as confirming or refuting any aspect, nor the completeness, of the analysis of the mathematics of the Enigma machine provided here. Exercises 4.10 1. Prove that, in the Enigma encryption scheme, the decryption function is the same as the encryption function. 2. Prove that the Enigma encryption scheme encrypts every letter to a different letter.
330 Introduction to Applied Algebraic Systems
3. How many possible configurations are there of the plugboard in an enigma machine assuming that there are 7 pairings? 4. Show that the Enigma encryption E can be represented as a product of disjoint 2-cycles. 5. Let λ, µ, ν, ρ, σ ∈ S6 , be such that λ = (13)(25)(46) µ = (16)(24)(35) ν = (15)(26)(34) σ = (1 2 3 4 5 6) and ρ(1) = 3. Now solve the equations: µ = τ −1 λτ ,
ν = τ −1 µτ ,
τ = ρ −1 σρ
for τ andρ. ∗ 6.
Let α, β ∈ S2m , where both α and β are products of m disjoint transpositions: α = (a1 a2 )(a3 a4 ) · · · (am−1 am ) β = (b1 b2 )(b3 b4 ) · · · (bm−1 bm ). Let γ = βα. Show that, when γ is expressed as a product of disjoint cycles, a1 and a2 lie in different cycles.
5 Rings and Polynomials
In chapter 2 we encountered some of the basic properties of rings and fields. In particular, we considered the ring of polynomials in a single variable and saw how essential that theory is to the study of finite fields. In this chapter we return to the study of rings and polynomials, but this time we will be interested in some geometric aspects. After the introduction of the necessary ring theoretical concepts (such as an ideal) we turn our attention to polynomials in several variables and to various properties of the curves and surfaces that they define.
5.1 Homomorphisms and Ideals
Let (R, +, ·) and (S, +, ·) be rings. A mapping ϕ : R → S is a (ring ) homomorphism if, for all a, b ∈ R, ϕ(a + b) = ϕ(a) + ϕ(b) ϕ(a · b) = ϕ(a) · ϕ(b) that is, ϕ must respect both operations + and · . If ϕ is surjective, injective, or bijective then it is an epimorphism, monomorphism, or isomorphism, respectively. If R = S, then ϕ is an endomorphism. If R = S and ϕ is bijective, then ϕ is an automorphism. Let ϕ : (R, +, ·) → (S, +, ·) be a ring homomorphism. Then, necessarily, ϕ : (R, +) → (S, +) is a group homomorphism so that we should expect that 331
332 Introduction to Applied Algebraic Systems
an important feature of ϕ will be its kernel : ker(ϕ) = {a ∈ R | ϕ(a) = 0}. Obviously, the fact that a homomorphism respects the multiplication must be reflected in its kernel in some way. This leads to the following concept. A subset I of a ring R is an ideal if it satisfies the following conditions: (i) (I , +) is a subgroup of (R, +). (ii) For all r ∈ R, a ∈ I , we have ra, ar ∈ I . Clearly, {0} and R are ideals in any ring R. In addition, for any m ∈ Z, m Z is an ideal in the ring Z. Note that condition (ii) implies that an ideal I will be closed under multiplication. Hence, an ideal is always a subring. The converse of this is false; a subring need not be an ideal. For example, Z is a subring of Q and Q is a subring of R but Z is not an ideal in Q and Q is not an ideal in R. However, since any ideal must be a subring, the following condition can be substituted for condition (i): (i) I is a subring of R. Substituting the usual test for a subgroup in the definition of an ideal, we arrive at the following test for an ideal. Lemma 5.1.1 Let R be a ring and I ⊆ R. Then I is an ideal if and only if it satisfies the following conditions: (i) I = ∅. (ii) a, b ∈ I ⇒ a − b ∈ I . (iii) a ∈ I , r ∈ R ⇒ ra, ar ∈ I . Proof. Exercise.
It is possible to combine ideals in simple ways to obtain new ideals. For any ideals I , J in a ring R, let I + J = {a + b | a ∈ I , b ∈ J }. Lemma 5.1.2 Let I , J be ideals in a ring R. Then I ∩ J and I + J are both ideals in R. Proof. Exercise.
We can also generate ideals by picking elements from R and then taking all possible combinations of those elements. For any nonempty subset A of R,
Rings and Polynomials 333
let A denote the set of all elements of the form a1 + a2 + · · · + ak + rk+1 ak+1 + rk+2 ak+2 + · · · + rl al + al+1 rl+1 + · · · + am rm + rm+1 am+1 sm+1 + · · · + rn an sn where ai ∈ A, ri , si ∈ R, for all i. If A is finite, say, A = {a1 , . . . , am }, then we also write a1 , . . . , am for A. It is also convenient to extend the definition of A to include A = ∅ by defining ∅ = {0}. Lemma 5.1.3 Let R be a ring and A ⊆ R. Then A is an ideal in R and is the smallest ideal of R containing A. Proof. Exercise.
We refer to A as the ideal generated by A (or the ideal generated by a1 , . . . , am if A = {a1 , . . . , am }). Moreover, if I is an ideal and there exist a1 , . . . , am ∈ I such that I = a1 , . . . , am then we say that I is a finitely generated ideal. If R is a commutative ring, then the description of A simplifies considerably, as it will consist of all elements of the form a1 + · · · + ak + rk+1 ak+1 + · · · + rl al
(ai ∈ A, ri ∈ R).
If R is commutative and has an identity, then the description of A becomes even simpler as A will consist of all elements of the form r1 a1 + · · · + rk ak
(ai ∈ A, ri ∈ R).
Finally, if R is a commutative ring with identity and a ∈ R, then a = {ra | r ∈ R}. An ideal of the form a is called a principal ideal. If R is an integral domain and every ideal in R is principal, then R is a principal ideal domain. The most familiar example of a principal ideal domain is Z. Another example is F [x] for any field F . Any field F is a principal ideal domain in a trivial sort of way since the only ideals in F are F = 1 and {0} = 0.
334 Introduction to Applied Algebraic Systems
Since an ideal I of a ring R is also a subgroup of the abelian group (R, +), we can form the quotient group (R/I , +) which consists of the cosets of (I , +) in (R, +). The fact that I is an ideal makes it possible to define a further operation on R/I as follows: For any a, b ∈ R, we define (I + a) · (I + b) = I + ab.
(5.1)
Suppose that I +a = I +a and I +b = I +b . Then there must exist elements x, y ∈ I with a = x + a ,
b = y + b
so that a b = (x + a)(y + b) = xy + xb + ay + ab ∈ I + ab since I is an ideal. Thus, I + a b = I + ab, and the operation in (5.1) is well defined. Lemma 5.1.4 Let I be an ideal in a ring R. Then R/I is also a ring and the 0 element in R/I is I . If R is commutative, then so also is R/I . If R has an identity 1, then so also does R/I —namely, I + 1. Proof. Exercise.
So we see more evidence that ideals play the role with respect to rings that normal subgroups play with respect to groups. Now n Z is an ideal in Z and Z/n Z consists of the set of cosets of n Z—that is, the sets of the form n Z + a = {a + nk | k ∈ Z} = [a]n . Thus, (Zn , +, ·) = (Z/n Z, +, ·). In a similar fashion, it follows that, for any f (x) ∈ F [x], (F [x]/f (x), +, ·) = (F [x]/f (x), +, ·). where F [x]/f (x) is as defined in chapter 2. The use of the ideal notation, f (x), on the right hand side of the above equation is, in fact, the more traditional and conventional notation.
Rings and Polynomials 335
Lemma 5.1.5 Let R be a ring. (i) If ϕ : R → S is a ring homomorphism, then ker(ϕ) is an ideal in R. (ii) If I is an ideal in R, then the mapping π : R → R/I defined by π(r) = I + r
(r ∈ R)
is an epimorphism with kernel equal to I . Proof. (i) Since ϕ : (R, +) → (S, +) is a group homomorphism, we know that ker (ϕ) is a subgroup of (R, +). Now let r ∈ R, a ∈ I . Then, ϕ(ra) = ϕ(r)ϕ(a) = ϕ(r) · 0
since a ∈ I
= 0. Thus, ra ∈ I . Similarly, ar ∈ I so that I is an ideal. (ii) Since (R/I , +) is a quotient group of (R, +), we know that π is surjective and respects addition. For any r, s ∈ R, π(rs) = I + rs = (I + r)(I + s) = π(r)π(s) so that π also respects multiplication and is a ring homomorphism. Moreover, r ∈ ker(ϕ) ⇔ ϕ(r) = 0 ⇔I +r =I ⇔r ∈I that is, ker(ϕ) = I .
The homomorphism π : R → R/I in Lemma 5.1.5 (ii) is known as the natural homomorphism. Theorem 5.1.6 (First Homomorphism Theorem for Rings) Let R, S be rings and ϕ : R → S be a surjective ring homomorphism. Let I = ker(ϕ) and
336 Introduction to Applied Algebraic Systems
π : R → R/I be the natural homomorphism. Then there exists an isomorphism θ : R/I → S such that θ π = ϕ: ϕ
- S 3 θ
R π ? R/I
Proof. For any r ∈ R, define θ (I + r) = ϕ(r). To see that this defines a mapping θ : R/I → S, let s ∈ R be such that I + r = I + s. Then, I +r =I +s ⇒r −s ∈I ⇒ ϕ(r − s) = 0 ⇒ ϕ(r) − ϕ(s) = 0 ⇒ ϕ(r) = ϕ(s). Thus, θ is well defined. For any r, s ∈ R, we have θ((I + r) + (I + s)) = θ (I + (r + s)) = ϕ(r + s) = ϕ(r) + ϕ(s) = θ (I + r) + θ (I + s) so that θ respects addition. A similar argument shows that θ respects multiplication: θ((I + r)(I + s)) = θ (I + rs) = ϕ(rs) = ϕ(r)ϕ(s) = θ (I + r) · θ (I + s). Therefore, ϕ is a homomorphism. For any s ∈ S, there exists an r ∈ R with ϕ(r) = s, since ϕ is surjective by the hypothesis. Hence, s = ϕ(r) = θ (I + r)
Rings and Polynomials 337
and θ is also surjective. Furthermore, θ(I + r) = θ (I + s) ⇒ ϕ(r) = ϕ(s) ⇒ ϕ(r − s) = 0 ⇒r −s ∈I ⇒I +r =I +s so that ϕ is also injective and therefore an isomorphism. Finally, for any r ∈ R, we have θ π(r) = θ (I + r) = ϕ(r) so that θπ = ϕ.
We conclude this section with the observation that at least in some situations (namely, Z and F [x]) we know all the ideals. Theorem 5.1.7 (i) Every ideal in Z is of the form n, for some n ∈ Z. (ii) Every ideal in F [x] is of the form f (x), for some f (x) ∈ F [x]. Proof. This is a simple application of the division algorithms for Z and F [x], and is left for you as an exercise. Exercises 5.1 1. Show that the set of all noninvertible 2 × 2 matrices over a field F is not a subring of M2 (F ). 2. Let D denote the set of all diagonal n × n matrices with entries from Q. Show that D is a subring, but not an ideal, of Mn (Q), the ring of all n × n matrices over Q. 3. Let F be a field. Prove that F contains only two ideals: namely, F itself and {0}. 4. Characterize all ideals in Z. 5. Characterize all ideals in Zn , n > 1. 6. Let F be a field. Show that every ideal in F [x] is principal. 7. Let F be a field and fi (x) ∈ F [x], 1 ≤ i ≤ n. Let I = f1 (x), f2 (x), . . . , fn (x). Describe an algorithm to find a single generator for I . 8. Let . {Iα | α ∈ A} be a nonempty family of ideals in a ring R. Show that α∈A Iα is an ideal in R.
338 Introduction to Applied Algebraic Systems
9. Let I , J be ideals in a ring R. Prove that I + J is an ideal in R. 10. Let I and J be ideals in a ring R such that I ∩ J = {0}. Show that IJ = {0}. 11. Let I and J be ideals in a ring R such that (i) I ∩ J = {0} (ii) I + J = R. Show that R is isomorphic to the direct product I × J of I and J where the operations in I × J are defined componentwise: (i, j) + (i , j ) = (i + i , j + j ), (i, j)(i , j ) = (ii , jj ). 12. Let ϕ : R → S be a ring epimorphism. (i) Show that for any ideal I in R, ϕ(I ) is an ideal in S. (ii) Show that for any ideal J in S, ϕ −1 (J ) is an ideal in R. ∗ 13.
Show that, for any field F , Mn (F) has no proper nontrivial ideals.
A subset I of a ring R is said to be a left ideal if it is a subring and satisfies the condition r ∈ R, a ∈ I ⇒ ra ∈ I . A right ideal is defined similarly. ∗ 14.
Find left and right ideals in Mn (Q) that are not (two-sided) ideals.
∗ 15.
Let R consist of all 2 × 2 matrices (aij ) with a11 ∈ Z, a12 , a22 ∈ Q and a21 = 0. (i) Show that R is a subring of Mn (Q). (ii) Find an infinite chain of ideals: I1 ⊇ I2 . . . ⊇ In . . . in R. (iii) Find an infinite chain of left ideals: J1 ⊆ J2 . . . ⊆ Jn . . . in R.
16. Let R be a ring, a ∈ R, La = {x ∈ R | xa = 0}, and Ra = {x ∈ R | ax = 0}. (i) Show that La is a left ideal of R. (ii) Show that Ra is a right ideal of R. (iii) Use M2 (Q) to show that La and Ra can be distinct. 17. Let R be a commutative ring and N = {a ∈ R | ∃ n ∈ N with a n = 0}. (Note that the value of n may vary depending on the particular element a. Such an element a is called a nilpotent element.) Show that N is an ideal in R. 18. For R = Z36 , find N as described in Exercise 17. 19. Characterize the nilpotent elements in Zn .
Rings and Polynomials 339
20. Let I be an ideal of R. Let √ R be a commutative ring and I = {a ∈ R | ∃ n ∈ N with a n ∈ I }. (Again, the √ particular value of n may depend on the particular a.) Show that I is an ideal of R. √ 21. Let I = 360 Z. Find I . 22. Let R be an integral domain and M be a maximal ideal in R (that is, if A is an ideal in R with M ⊆ A ⊆ R, then either A = M or A = R). Show that R/M is a field.
5.2 Polynomial Rings
Let R be a commutative ring with identity and {x1 , . . . , xn } be a set of variables. Then we denote by R[x1 , . . . , xn ] the set of all polynomials in x1 , . . . , xn with coefficients in R—that is, the set of all formal expressions of the form
aα x1α1 x2α2 · · · xnαn
α=(α1 ,...,αn )
where aα ∈ R, the summation runs over α = (α1 , . . . , αn ) ∈ (N ∪ {0})n and, at most, a finite number of the aα are nonzero. For simplicity, we often omit expressions of the form xi0 . For example, x1 + 3x2 x3 + x42 ,
x12 + x22 + x32 + x42
are elements of Z[x1 , x2 , x3 , x4 ]. It is usually convenient to adopt a simpler notation for an arbitrary polynomial, such as f (x1 , . . . , xn ), g (x1 , . . . , xn ), and so forth. By this we mean that f (x1 , . . . , xn ) =
α
aα x1α1 · · · xnαn
(5.2)
for suitable aα ∈ R, and so on. Indeed, we may go one step further and write simply f for f (x1 , . . . , xn ). We refer to the elements of R[x1 , . . . , xn ] as polynomials in x1 , . . . , xn over R. When the number of variables involved is small, we may use the symbols x, y, z, . . . in place of x1 , x2 , x3 , . . . . Extending the terminology of chapter 2, we refer to the aα as the coefficients of f and say that f is a constant polynomial if aα = 0 for all α = (0, 0, . . . , 0). Each expression of the form x1α1 x2α2 · · · xnαn
340 Introduction to Applied Algebraic Systems
is a monomial and each expression of the form aα x1α1 x2α2 · · · xnαn is a (monomial) term. We denote by M the set of all monomials in R[x1 , . . . , xn ]. The degree of the previous term is |α| = α1 + α2 + · · · + αn . The degree, deg(f (x1 , . . . , xn )), of f (x1 , . . . , xn ) is max{|α| | aα = 0}. It is clear how we can define the sum of two such polynomials in n variables over R: α
aα x1α1 · · · xnαn +
α
bα x1α1 · · · xnαn =
(aα + bα )x1α1 · · · xnαn . α
A formal definition of the product of two polynomials in n variables is a bit more complicated: $ α
aα x1α1 · · · xnαn
%$ α
% bα x1α1 · · · xnαn = cα x1α1 · · · xnαn α
where cα =
aγ bδ
α=γ +δ
where γ + δ is the sum of vectors performed in R n . When applied to a specific example, this looks exactly as one would expect. Note that it is implicit in the definition of multiplication of polynomials that the variables commute with each other and with the elements of R: xi xj = xj xi ,
axi = xi a
(a ∈ R).
Lemma 5.2.1 Let F be a field and f (x1 , . . . , xn ), g (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ]. Then deg (f (x1 , . . . , xn ) g (x1 , . . . , xn )) = deg (f (x1 , . . . , xn )) + deg (g (x1 , . . . , xn )). Proof. Exercise.
Rings and Polynomials 341
Theorem 5.2.2 (i) For any commutative ring R (with identity ), R[x1 , x2 , . . . , xn ] is a commutative ring (with identity ). (ii) For any field F , F [x1 , . . . , xn ] is an integral domain. Proof. Exercise.
Henceforth, let us focus on polynomials over a field F . At this point, it is helpful to take a look at rational expressions in polynomials. They turn out to be quite reasonable to work with. In fact, the main observation at this point applies to any integral domain. Theorem 5.2.3 Let R be an integral domain and Q = {(a, b) ∈ R × R|b = 0}. Define a relation ∼ on Q by (a, b) ∼ (c, d) ⇔ ad = bc. Then ∼ is an equivalence relation on Q. Let [a, b] denote the ∼ class of (a, b) and Q/∼ denote the set of all ∼-classes. Define addition and multiplication in Q/∼ by [a, b] + [c, d] = [ad + bc, bd] [a, b] · [c, d] = [ac, bd]. Then (Q/∼, +, ) is a field with identity [1, 1] and zero [0, 1]. For any nonzero element [a, b], [a, b]−1 = [b, a]. Proof. Exercise.
The field Q/∼ is called the field of quotients of R. If you apply Theorem 5.2.3 to the ring Z, then, of course, we obtain a field Q/∼ isomorphic to Q, where [a, b] corresponds to the rational number ab . In like manner, if we take R = F [x1 , . . . , xn ], where F is a field, then by Theorem 5.2.2, R is an integral domain and we may apply Theorem 5.2.3 to obtain its field of quotients. It is customary to denote this field by F (x1 , . . . , xn ). As with the rational numbers, we adopt the familiar notation for fractions when convenient and write f (x1 , . . . , xn ) g (x1 , . . . , xn )
342 Introduction to Applied Algebraic Systems
in place of [f (x1 , . . . , xn ), g (x1 , . . . , xn )]. A nonconstant polynomial in F [x1 , . . . , xn ] is said to be reducible if it can be written as the product of two nonconstant polynomials; otherwise, it is said to be irreducible. Let f , g ∈ F [x1 , . . . , xn ]. We say that g divides f or that g is a divisor of f if there exists a polynomial h ∈ F [x1 , . . . , xn ] with f = gh. When g divides f , we write g | f . Lemma 5.2.4 Let f , g , h ∈ F [x1 , . . . , xn ], f be irreducible, and f | gh. Then f divides g or h. Proof. We argue by induction on the number of variables n. By Exercise 2.6.15, the claim is true for n = 1. So let us assume that the claim holds for n − 1 variables. First assume that f does not involve one of the variables, so that it is a polynomial in n − 1 variables. Without loss of generality, we may assume that it is x1 that does not appear in f . Let us write g , h and gh as polynomials in x1 with coefficients in F [x2 , . . . , xn ] as follows: g=
k i=1
ai x1i , h
=
l i=1
bi x1i , gh
=
l+k
ci x1i .
i=1
Note that since f does not involve the variable x1 , the only way that f can divide gh is if f divides every coefficient ci . If f is a factor of every coefficient ai , then clearly f divides g and if f is a factor of every coefficient bi , then clearly f divides h. Either way, we have the desired result. We will now show that the alternative leads to a contradiction. So suppose that there exists a coefficient ar and a coefficient bs such that f divides neither ar nor bs . Again, without loss of generality, we can assume that r and s are the smallest such integers. In other words, f divides ai and bj for any i < r and any j < s. We now employ essentially the same technique that we used in the proof of Eisenstein’s criterion. Consider the coefficient cr+s (in gh). We have cr+s =
ai bj = (a0 br+s + · · · + ar−1 bs+1 ) + ar bs
i+j=r+s
+ (ar+1 bs−1 + · · · + ar+s b0 ). Now f divides at least one factor in each of the terms in (a0 br+s + · · · + ar−1 bs+1 ) and at least one factor in each of the terms in (ar+1 bs−1 + · · · + ar+s b0 ). Therefore f must divide ar bs and, by the induction hypothesis, f must divide either ar or bs . But this contradicts the choice of ar and bs .
Rings and Polynomials 343
Consequently, f must involve x1 , indeed, all the variables. Suppose for the moment that f is not just irreducible in F [x1 , . . . , xn ] but even in F (x2 , . . . , xn )[x1 ]. From the single variable case (Exercise 2.6.15), we know that in F (x2 , . . . , xn )[x1 ] either f divides g , or f divides h. Without loss of generality, we can assume that f divides g . Then there exists a polynomial r in F (x2 , . . . , xn )[x1 ] such that rf = g . Let d be the product of all the denominators of the coefficients in r, where r is considered as a polynomial in x1 with coefficients in the field F (x2 , . . . , xn ). Then d, dr are elements of F [x2 , . . . , xn ] and (dr)f = dg . Now let p be any irreducible factor of d in F [x2 , . . . , xn ]. Then p divides (dr)f . If p divided f then, since f is irreducible in F [x1 , x2 , . . . , xn ], we would have that f = ap, for some element a in F . But f involves the variable x1 while p does not. So this is impossible and we must have that p divides dr. We can now write d dr f = g p p Continuing in this way with all the irreducible factors of d, we finally express g as a multiple of f in F [x1 , . . . , xn ]. Thus f divides g . It only remains to show that whenever f (x1 , . . . , xn ) is irreducible in F [x1 , . . . , xn ], it is also irreducible in F (x2 , . . . , xn )[x1 ]. But this argument follows the argument of Proposition 2.6.7 almost word for word and so we leave the details to the reader. With the help of Lemma 5.2.4, we can establish unique factorization rather easily. Theorem 5.2.5 Let f (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ] be a nonconstant polynomial. Then f (x1 , . . . , xn ) can be written as a product of irreducible polynomials in F [x1 , . . . , xn ]. Moreover, any such expression is unique to within the order in which the factors are written and scalar multiples. Proof. We argue by induction on the degree of f = f (x1 , . . . , xn ). If deg (f ) = 1, then f is itself irreducible. So suppose that deg (f ) = m and that the claim is true for all polynomials in F [x1 , . . . , xn ] of degree less than m. If f is irreducible, then we have the desired conclusion. If f is reducible, then there exist nonconstant polynomials g (x1 , . . . , xn ), h(x1 , . . . , xn ) ∈ F [x1 , . . . , xn ] with f (x1 , . . . , xn ) = g (x1 , . . . , xn ) h(x1 , . . . , xn ).
(5.3)
Now, deg (g ) < m and deg (h) < m so that, by the induction hypothesis, g and h can be written as products of irreducible polynomials in F [x1 , . . . , xn ]. It then
344 Introduction to Applied Algebraic Systems
follows from (5.3) that f can be written as a product of irreducible polynomials. The uniqueness of the product now follows easily from Lemma 5.2.4. There is one more familiar idea from the theory of polynomials in one variable that extends to several variables. Let f , g , d ∈ F [x1 , . . . , xn ]. Then d is a greatest common divisor of f and g if (i) d divides f and g (ii) if h ∈ F [x1 , . . . , xn ] divides f and g then h divides d. Corollary 5.2.6 Any two polynomials f , g ∈ F [x1 , . . . , xn ] have a greatest common divisor. Proof. This is a simple exercise based on Theorem 5.2.5.
The parallel with the theory of polynomials in a single variable breaks down at this point as the greatest common divisor may not be a linear combination of the two polynomials. For example, the greatest common divisor of xy and yz is clearly y. However, y is not a combination of xy and yz. When working with polynomials in one variable of degree 2 or 3 over a field F , there is a very simple test for irreducibility. If f (x) ∈ F [x] and deg (f (x)) = 2, 3, then f (x) is irreducible if and only if f (x) has no roots in F . Life is not quite that simple for polynomials in several variables. There are some important differences between the theory of irreducible polynomials in one variable and the theory of irreducible polynomials in several variables. Let f (x) ∈ F [x]. Then, f (x) irreducible, deg (f (x)) ≥ 2 =⇒ f (x) has no roots in F . However, the fact that f ∈ F [x1 , . . . , xn ] is irreducible does not necessarily imply that f has no zeros. For example let f (x, y) = x 2 + y ∈ F [x, y]. Then, f (x, y) has many zeros. For example, (a, −a 2 ), for any a ∈ F . However, f (x, y) is irreducible. To see this, suppose that f (x, y) were reducible, then it would have to be expressible as a product of two polynomials of degree 1, say x 2 + y = (ax + by + c)(px + qy + r) . Equating certain of the coefficients, we find constant: 0 = cr coefficient of x: 0 = ar + cp. If c = r = 0, then the right side becomes (ax + by)(px + qy), in which every nonzero term will have degree 2. Hence, one of c, r must be zero and one nonzero. We can assume that c = 0, r = 0. Then, from the coefficient of x, we have cr = 0 and, therefore, r = 0. The right-hand side now
Rings and Polynomials 345
becomes (ax + by + c) · qy, which has no term x 2 . Thus, we have a contradiction and f (x, y) is irreducible. Notice that the argument is quite independent of the field F . Disappointing as this observation might be, there are some simple and helpful observations. The first is that the method that we used here can be applied to many simple situations. We assume that a polynomial is factorizable in some way and then equate the coefficients of different terms to determine whether it is possible to find a solution or to show that none exists. Another useful observation is the following. Let f (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ] have degree 2 or 3 and suppose that f is reducible as f = gh where g , h ∈ F [x1 , . . . , xn ] are nonconstant polynomials. Then, deg (f ) = deg (g ) + deg (h) so that either deg (g ) = 1 or deg (h) = 1. Without loss of generality, let us suppose that deg (g ) = 1. Then there exist ci , c ∈ F with g = c1 x1 + c2 x2 + · · · + cn xn + c where at least one ci is nonzero. The equation g = 0 is then the equation of a line (if n = 2), plane (if n = 3), or, in general, a hyperplane. In particular, we must have f (x1 , . . . , xn ) = 0 wherever g (x1 , . . . , xn ) = 0 so that the solutions to f (x1 , . . . , xn ) = 0 must include the solutions to g (x1 , . . . , xn ) = 0. If it is evident that the solutions to f (x1 , . . . , xn ) do not include a line, plane, and so forth, then f must indeed be irreducible. In this way, it is easy to see that the following polynomials are irreducible: x 2 + y 2 − r 2 ∈ R[x] y − ax 2 + k ∈ R[x] y2 x2 − 2 + c ∈ R[x]. 2 a b There is one rather special situation that will, nevertheless, be important to us later, where a polynomial turns out to be highly reducible for reasons that are not immediately transparent. A Vandermonde matrix is an n × n matrix of the form ⎤ ⎡ A = x1n−1 x1n−2 ··· x1 1 ⎢ x n−1 x2n−2 ··· x2 1 ⎥ ⎥ ⎢ 2 ⎥ ⎢ (5.4) ⎥ ⎢ .. ⎦ ⎣ . xnn−1 xnn−2 ··· xn 1
346 Introduction to Applied Algebraic Systems
where the xi are variables. Then det (A) will be a polynomial in x1 , x2 , . . . , xn over F —that is, det (A) ∈ F [x1 , . . . , xn ]. Subtracting the second row from the first, we obtain a matrix with first row [x1n−1 − x2n−1
x1n−2 − x2n−2
= (x1 − x2 )[x1n−2 + · · · + x2n−2
···
x1 − x 2
0]
x1n−3 + · · · + x2n−3
···
1
0].
It follows that x1 − x2 must be a factor of det (A). In the same way, by subtracting the jth row from the ith row, we see that xi − xj must divide det (A), for all 1 ≤ i < j ≤ n. Hence, ⎛
⎞
det (A) = ⎝
(xi − xj )⎠ q(x1 , . . . , xn )
(5.5)
1≤i<j≤n
for some q(x1 , . . . , xn ) ∈ F [x1 , . . . , xn ]. Now, since each element in the expansion of det (A) is a product of terms with exactly one element from each row and column, it follows that deg (det (A)) = (n − 1) + (n − 2) + · · · + 2 + 1 =
(n − 1)n . 2
However, ⎛ deg ⎝
⎞ (xi − xj )⎠ =
1≤i<j≤n
(n − 1)n . 2
Consequently, q(x1 , . . . , xn ) is a constant c. Now one term in det (A) is x1n−1 x2n−2 · · · xn−1 so this must equal the corresponding term from (5.5): cx1n−1 x2n−2 · · · xn−1 . Hence, c = 1 and we have proved the following lemma. Lemma 5.2.7 Let A be a Vandermonde matrix as given in (5.4). Then det (A) =
1≤i<j≤n
(xi − xj ).
Rings and Polynomials 347
Now the equality in Lemma 5.2.7 is an equality of two polynomials. Consequently, they will yield the same result no matter what values in F we assign to the variables x1 , . . . , xn . In other words, the result also holds when we consider the elements xi to be elements of any field. Of course, we are then just evaluating the two polynomials for certain values of the variables. Associated in a natural way with each polynomial f (x1 , . . . , xn ) ∈ R[x1 , . . . , xn ], we have an evaluation function f : R n → R where f : (a1 , . . . , an ) → f (a1 , . . . , an ) and by f (a1 , . . . , an ) we mean the element of R obtained by replacing each occurrence of x1 in f (x1 , . . . , xn ) by a1 , each occurrence of x2 in f (x1 , . . . , xn ) by a2 , and so on. Now, in some situations, distinct polynomials will yield the same evaluation function. For example, the polynomials x + y, x p + y, and x + y p in Zp [x, y] yield the same function from Z2p to Zp since a p = a for all a ∈ Zp . We saw this sort of thing in section 2.5. However, there is one important situation regarding the underlying field that will guarantee that distinct polynomials determine distinct functions. (See Exercise 10 in section 2.5 for the corresponding result in F [x].) Theorem 5.2.8 Let F be an infinite field and f , g ∈ F [x1 , . . . , xn ]. Then f = g if and only if the associated functions F n → F are also equal. Proof. Assume that f and g induce the same functions F n → F and let h = f − g . Then h(a1 , . . . , an ) = f (a1 , . . . , an ) − g (a1 , . . . , an ) =0
(5.6)
for all a1 , . . . , an ∈ F . Claim: h is the zero polynomial. We will argue by induction on the degree of h. If deg (h) = 0—that is, h is a constant—then the claim is obvious. Also, if n = 1 then we have a polynomial in the single variable x1 . However, any nonzero polynomial in a single variable can only have finitely many zeros. So, once again, we must have h = 0. So let us assume that n ≥ 2 and that for any k ∈ F [x1 , . . . , xt ], where t < n, if k induces the zero function F t → F , then k is the zero polynomial. Now let us consider h as a polynomial in xn with coefficients in F [x1 , . . . , xn−1 ]: h(x1 , . . . , xn ) = p0 + p1 xn + · · · + pm xnm
348 Introduction to Applied Algebraic Systems
where pi = pi (x1 , . . . , xn−1 ) ∈ F [x1 , . . . , xn−1 ]. Let a1 , . . . , an−1 ∈ F . Substituting these values into the polynomials pi , we obtain a polynomial of degree m in F [xn ]: h(a1 , a2 , . . . , an−1 , xn ) = c0 + c1 xn + · · · + cm xnm
(5.7)
where ci = pi (a1 , a2 , . . . , an−1 ). By (5.6) we have that h(a1 , a2 , . . . , an−1 , an ) = 0 for all an ∈ F . Thus, the polynomial in (5.7) has infinitely many zeros. Since this is a polynomial in just one variable, it must be the zero polynomial: h(a1 , a2 , . . . , an−1 , xn ) = 0. This means that every coefficient is zero—that is, pi (a1 , a2 , . . . , an−1 ) = 0 for all i. But, the a1 , . . . , an−1 were chosen arbitrarily and pi (x1 , . . . , xn−1 ) ∈ F [x1 , . . . , xn−1 ] for all i. Hence, by the induction hypothesis, we must have pi (x1 , . . . , xn−1 ) = 0 for all i = 1, 2, . . . , m. Thus, h(x1 , . . . , xn ) = p0 + p1 xn + · · · + pm xnm =0 the zero polynomial. Consequently, f =h+g =0+g =g as required.
Exercises 5.2 1. Let char (F ) = 3. Show that 3x 3 y 5 , 2y 2 x 2 + 3 = F [x, y]. 2. Show that x 2 y − 1, y 2 x − x = x 2 − y, y 2 − 1 in F [x, y].
Rings and Polynomials 349
3. Show that x 2 + y, y 2 + z, z 2 + x = x + z 2 , y + z 4 , z + z 8 in F [x, y, z]. 4. Let F be a field with characteristic not equal to 2 and let a ∈ F ∗ be such that F contains a solution to x 2 = a. Show that F must contain two distinct roots of x 2 = a. 5. Let F be a field with characteristic different from 3 and let b ∈ F ∗ . Show that x 3 = b cannot have two repeated roots in F . 6. Show that x 2 + y 2 − 1 ∈ C [x, y] is irreducible. 7. Let f (x, y) = y 2 − g (x), where g (x) ∈ F [x], be a polynomial in F [x, y]. Show that f (x, y) is reducible if and only if there exists h(x) ∈ F [x] with g (x) = (h(x))2 . 8. Show that x n + y ∈ F [x, y] is irreducible for all n ∈ N. 9. Let g (x1 , . . . , xn−1 ) ∈ F [x1 , . . . , xn−1 ] be nonconstant and f (x1 , . . . , xn ) = xn2k − g (x1 , . . . , xn−1 ). Show that f is reducible if and only if there exists h(x1 , . . . , xn−1 ) ∈ F [x1 , . . . , xn−1 ] such that g = h 2 . 10. Show that x 2k + y 2k ∈ F [x, y] is reducible if F contains a root of the polynomial x 2 + 1. 11. Show that y 2 − x 3 − ax − b ∈ F [x, y] is irreducible for all a, b ∈ F . 12. Show that x 2 + xy + y 2 ∈ F [x, y] is reducible if and only if the polynomial x 2 − x + 1 has a root in F .
5.3 Division Algorithm in F [x1 , x2 , . . . , xn ] : Single Divisor
In chapter 2 we saw many applications of the division algorithm for polynomials in one variable. To those applications, we can add one more. Let I be an ideal in F [x] and suppose that we would like an algorithm that would decide, given any f (x) ∈ F [x], whether f (x) ∈ I . To achieve this we must, of course, have a reasonable description of I . We know (see Exercise 6 in section 5.1) that I is a principal ideal so that there exists g (x) ∈ F [x] such that I = g (x)F [x]. It is then a simple matter to determine whether f (x) ∈ I . We simply apply the division algorithm to obtain f (x) = q(x) g (x) + r(x) where r(x) = 0 or deg(r(x)) < deg(g (x)). Then f (x) ∈ I if and only if r(x) = 0.
350 Introduction to Applied Algebraic Systems
Thus, we can use the division algorithm to solve the membership problem—that is, to determine whether a polynomial f (x) chosen at random from F [x] is a member of I . This suggests the possibility that a division algorithm in F [x1 , . . . , xn ] might also have many applications. However, we have to proceed with some caution because there are pitfalls. The theory of division of polynomials in several variables is a good deal more subtle than that for polynomials in a single variable. The problem is well illustrated by the following example. Suppose that we want to divide x 3 + y 2 by x + y. Using the method of long division, we might calculate x 2 − xy + y 2 3 x +y x + y2 3 2 x +x y − x 2y − x 2 y − xy 2 xy 2 + y 2 xy 2 + y 3 y2 − y3 which yields x 3 + y 2 = (x 2 − xy + y 2 )(x + y) + y 2 − y 3 .
(5.8)
On the other hand, since x + y = y + x, we might just as easily calculate y −x 2 y +x y + x3 2 y + xy − xy − xy − x 2 x2 + x3 which yields y 2 + x 3 = (y − x)(y + x) + x 2 + x 3 .
(5.9)
Thus, there is no well-defined notion of quotient and remainder without the introduction of some new features or constraints. The concepts required to bring some order to this situation appeared relatively recently (1960s), compared with the centuries that mathematicians have been studying polynomials. Yet, the key idea can be found if we take a look at how the division algorithm works in F [x]. Let us revisit Example 2.4.5, where f (x) = x 5 + 4x 3 + 4x 2 + 3
Rings and Polynomials 351
and g (x) = x 2 + 3x + 2 are polynomials in Z5 [x]. Dividing f (x) by g (x) we obtain x3 x 2 + 3x + 2 x 5 +0 · x 4 +4 · x 3 x 5 +3x 4 +2x 3 2x 4 +2x 3 2x 4 +x 3 x3 x3
+2x 2 +x + 2 +4 · x 2 +0 · x + 3 +4x 2 +4x 2 +0 · x 2 +3x 2 2x 2 2x 2
+0 · x +2x +3x + 3 +x + 4 2x + 4.
Working through the calculation, we see that all the action is dictated by the x 2 term in the divisor. It is the leading term in deciding what happens at each stage. The other terms have a secondary role only. This suggests that if we want to design a division algorithm for polynomials in several variables, then we should fix on a leading term in the divisor and use that to determine what happens at each stage in the division. This leads us to the question of how to pick a leading term in a consistent way. For example, suppose that we wish to divide by g (x, y, z) = x 7 y 2 z 3 + x 4 y 8 z 4 + y 6 z 7 , What term should we choose? We need an orderly approach. One approach (and we emphasize that there are others) is to introduce an ordering of the variables. For example, if we are dealing with polynomials in F [x1 , x2 , . . . , xn ], then we might choose the ordering x1 > x2 > x3 > · · · > xn−1 > xn , although any ordering would do. We extend this to an ordering of the set M of monomials. Consider two monomials α
m1 = xiα11 · · · xik k ,
β
β
m2 = xj11 · · · xj .
If any variable, xi say, does not appear in m1 or m2 , then we add a factor xi0 and write the variables in the order that we have chosen for the variables. In our case, m1 = x1α1 x2α2 · · · xnαn ,
β
β
m2 = x1 1 x2 2 · · · xnβn .
352 Introduction to Applied Algebraic Systems
Note that every variable now appears in its proper place in m1 and m2 . Now define m1 > m2 ⇐⇒ αi > βi
where i is the least integer with αi = βi .
This ordering of the set M of monomials is known as the lexicographic ordering. For example, if we use x, y, z to denote our variables and order them as x>y>z then in the lexicographic ordering, x 8y 3z 2 > x 7 > x 6y 5z 5 > x 6y 4z 8. Of course, if we choose a different ordering for the variables, then we will obtain a different ordering for the monomials. For instance, if we have y>z >x then y 5z 5x 6 > y 4z 8x 6 > y 3z 2x 8 > x 7. The lexicographic ordering of monomials has three important properties: M1: The order relation < is a total order—that is, for any monomials m1 and m2 , exactly one of the following must hold: m1 < m2
or
m1 = m2
or
m1 > m2 .
M2: The order relation < is a compatible order relation—that is, if m, m1 , and m2 are monomials, then m1 > m2 =⇒ mm1 > mm2 . M3: The set of monomials is well ordered with respect to the relation <—that is, every nonempty subset of monomials has a smallest member. Any order relation on the set M of monomials satisfying M1, M2, and M3 is called a monomial order. Properties M1 and M2 are pretty straightforward. With regard to property M3, it is easy to make the mistake of thinking that it is obvious because there are only finitely many monomials smaller than any chosen monomial. After all, this is basically the reason that N is well ordered. However, in this case,
Rings and Polynomials 353
most monomials are bigger than infinitely many monomials. For example, for monomials in x, y, z with x > y > z, we have x > ymzn
(for all m, n ∈ N).
So the well-ordering property is not quite so obvious. However, consider any nonempty set M of monomials x α y β z γ . Let Ex = {α ∈ N ∪ {0} | ∃ x α y β z γ ∈ M }. Since N ∪ {0} is well ordered and Ex is a nonempty subset of N ∪ {0}, Ex must have a smallest member α0 , say. Now let Ey = {β ∈ N ∪ {0} | ∃ x α0 y β z γ ∈ M }. Since N ∪ {0} is well ordered, this set must also have a smallest element β0 , say. Finally, let Ez = {γ ∈ N ∪ {0} | ∃ x α0 y β0 z γ ∈ M }. Again, this set must have a smallest element γ0 , say, and then it is evident that m = x α0 y β0 z γ0 is the smallest element in M . Thus, the set of all monomials in x, y, and z is well ordered. It is clear that the argument will extend to any number of variables. We can now introduce some terminology for polynomials in several variables corresponding to the terminology that we had for polynomials in a single variable. Let cα mα ∈ F [x1 , . . . , xn ] f (x1 , . . . , xn ) = α
where each mα is a monomial. Assume that we have adopted a monomial order. Then we define leading monomial = lm (f ) = mα where cα = 0 and mα > mβ ∀ β = α with cβ = 0 leading coefficient = lc (f ) = cα where lm (f ) = mα leading term
= lt (f ) = cα mα where lm (f ) = mα .
For example, if f (x, y, z) = 10x 8 y 3 z 2 + 11x 7 + 12x 6 y 5 z 5 + 13x 6 y 4 z 8
354 Introduction to Applied Algebraic Systems
and we adopt the lexicographic ordering based on y>z >x then lm (f ) = y 5 z 5 x 6 lc (f ) = 12 lt (f ) = 12y 5 z 5 x 6 . Whenever there is a reference to the leading term, monomial, or coefficient of a polynomial, it is to be understood that it is with reference to some monomial order. In the next lemma, we list some simple observations concerning these concepts. Lemma 5.3.1 Let f , g ∈ F [x1 , . . . , xn ]. (i) lt (f ) = lc (f ) · lm (f ). (ii) lt (f · g ) = lt (f ) · lt (g ). Proof. (i) This follows immediately from the definitions. (ii) This follows from property M2 of the ordering of monomials.
Theorem 5.3.2 (Division Algorithm in n variables for a single divisor) Let f , g ∈ F [x1 , . . . , xn ]. Then there exist q, r ∈ F [x1 , . . . , xn ] such that f = qg + r where, if r =
α
cα rα (cα ∈ F , rα ∈ M), then lt (g ) does not divide rα for any
α (with cα = 0). Moreover, q and r are unique. Proof. First compare the leading terms of f and g . If lt (g ) divides lt (f ), then let f1 = f −
lt (f ) · g, lt (g )
q1 =
lt (f ) , lt (g )
r1 = 0.
If lt (g ) does not divide lt (f ), then let f1 = f − lt (f ) ,
q1 = 0 ,
r1 = lt (f ).
Note that in both cases, f = f1 + q1 g + r1
(5.10)
Rings and Polynomials 355
where lt (g ) does not divide any term in r1 . Also, in both cases, we must have lt (f1 ) < lt (f ). Now repeat this procedure with f1 to obtain f1 = f2 + q2 g + r2 where lt (g ) does not divide any term in r2 and lt (f2 ) < lt (f1 ). We now have from equation (5.10) that f = f1 + q1 g + r 1 = f2 + (q1 + q2 ) g + r1 + r2 where lt (f2 ) < lt (f1 ) < lt (f ) and lt (g ) does not divide any term in r1 + r2 . Now repeat the process with f2 , and so on. The critical question now is whether the process will stop. This is not immediately obvious for the following reason. Each time we perform the step fi+1 = fi −
lt (fi ) g lt (g )
although we eliminate the leading term of fi , we introduce a whole collection of terms corresponding to the other nonleading terms in g so that we may end up with more terms in fi+1 than we had in fi . The critical observation here is lt (f ) that the leading terms in fi and lt (gi ) · g are the same. Therefore, the leading lt (f )
term in fi+1 = fi − lt (gi ) ·g must be smaller. The same applies when the leading term in fi is transferred to the remainder. So suppose that we let A = {lm (fi ) | i = 1, 2, . . . }. This is a subset of monomials and so, by property M3, must contain a smallest member. Hence, the process must stop. Let it stop at i = m. Then we must have fm = 0; otherwise, we could proceed one step further, so that we find f = (q1 + q2 + · · · + qm ) g + (r1 + r2 + · · · + rm )
356 Introduction to Applied Algebraic Systems
where the leading term of g does not divide any of the terms in r1 +r2 +· · ·+rm . This establishes the main claim. Now let f = qg + r = q1 g + r1 . Then r1 − r = (q − q1 ) g . Suppose that q − q1 = 0 and let lt (q − q1 ) = cm = 0 where c ∈ F , m ∈ M. Then, by Lemma 5.3.1 (ii), lt (r − r1 ) = −lt ((q − q1 ) g ) = −lt (q − q1 ) · lt (g ) = −cm · lt (g ). But any term in r − r1 is just the difference of two terms involving the same monomials from r and r1 , so that, in particular, lt (r − r1 ) = at − a1 t = (a − a1 ) t where, for some a, a1 ∈ F and t ∈ M, at is a term in r and a1 t is a term in r1 . Hence, lt (g ) divides (a − a1 ) t and, therefore, t . This is a contradiction. Consequently, q − q1 = 0, which leads to q = q1 and r = r1 . For any polynomial f ∈ F [x1 , . . . , xn ], we define the xi degree of f , which we denote by deg xi (f ), to be the degree of f when considered as a polynomial in xi with coefficients in F [x1 , . . . , xi−1 , xi+1 , . . . , xn ]. For the sake of simplicity, the next two results are set in F [x, y, z], but clearly extend to an arbitrary number of variables. We will use the techniques of this section to obtain the results, though other methods would also work. Corollary 5.3.3 Let f , g ∈ F [x, y, z] and let g = ax n + p (x, y, z) where a ∈ F ∗ , n ≥ 1, and degx (p (x, y, z)) < n. Then there exist q, r ∈ F [x, y, z] such that f = qg + r
and degx (r) < n.
Moreover, q and r are unique. Proof. We adopt the lexicographic order for monomials based on x > y > z. Then, lt (g ) = ax n . By the division algorithm (Theorem 5.3.2), there exist unique q, r ∈ F [x, y, z] with f = qg + r where lt (g ) does not divide any term in r. Hence, degx (r) < n.
Rings and Polynomials 357
The next result should look a little bit familiar. Corollary 5.3.4 Let f (x, y, z) ∈ F [x, y, z], a ∈ F , and f (a, y, z) = 0. Then there exists q(x, y, z) ∈ F [x, y, z] with f (x, y, z) = (x − a) q(x, y, z). Proof. We adopt the lexicographic order for monomials based on x > y > z. Let g (x, y, z) = x − a. By the division algorithm, there exist q, r ∈ F [x, y, z] such that f (x, y, z) = (x − a) q + r where x = lt (g ) does not divide any term in r. Hence, r = r(y, z) ∈ F [y, z]. Consequently, 0 = f (a, y, z) = (a − a) q + r = r. Therefore, f (x, y, z) = (x − a) q as required.
In the previous corollaries, we already see some applications of our division algorithm for polynomials in several variables. However, we have further extensions of the division algorithm to consider in the next section. Exercises 5.3 1. Show that it would not be sufficient in Theorem 5.2.8 to assume only that the functions associated with f and g agree on an infinite subset of F n (as opposed to the whole of F n ). 2. Let f (x, y), g (x, y) ∈ F [x, y] and let g (x, y) = ax + p (y) where a = 0, p (y) ∈ F [y]. Show that there exists q(x, y) ∈ F [x, y], r(y) ∈ F [y] such that f (x, y) = g (x, y) q(x, y) + r(y). 3. Let f (x, y) ∈ R[x, y] and let the line L, given by ax + by + c = 0, a = 0, be such that for infinitely many points (x1 , y1 ) on L, we have f (x1 , y1 ) = 0. Show that ax + by + c divides f (x, y).
358 Introduction to Applied Algebraic Systems
5.4 Multiple Divisors: Groebner Bases
When working with polynomials in a single variable (that is, in F [x]), we have seen in Theorem 5.1.7 that every ideal is generated by a single polynomial. This does not carry over to ideals in several variables. For example, consider I = {f (x, y) ∈ F [x, y] | f (0, 0) = 0}. This just consists of all polynomials in x, y for which the constant term is zero and is clearly an ideal in F [x, y]. It is evident that I = x, y and that no single polynomial will generate I. However, we will see in this section that at least a finite number of polynomials will do the job for us. Let I be an ideal in F [x1 , . . . , xn ]. As we shall see, there exist g1 , g2 , . . . , gm ∈ F [x1 , . . . , xn ] with I = g1 , g2 , . . . , gm . Now consider the membership problem for I . In other words, given f ∈ F [x1 , . . . , xn ], how can we determine whether f ∈ I ? Following the pattern for one variable, we would like to write f =
m
qi gi + r
i=1
in such a way that f ∈ I if and only if r = 0. This suggests that we need an algorithm that “divides” f by several polynomials instead of the usual single divisor. Lemma 5.4.1 Let f , g1 , g2 , . . . , gm ∈ F [x1 , x2 , . . . , xn ]. Then there exist q1 , q2 , . . . , qm , r ∈ F [x1 , x2 , . . . , xn ] such that f = q1 g1 + q2 g2 + · · · + qm gm + r where either r = 0 or r is a sum of monomial terms, none of which is divisible by any of lt (g1 ), . . . , lt (gm ). Proof. The proof is very similar to that of Theorem 5.3.2. The only difference is that before assigning a term to the remainder r, we try to divide it by all the leading terms lt (gi ), 1 ≤ i ≤ m, in turn according to their order under the monomial ordering. There is one desirable feature that is noticeably absent in Lemma 5.4.1— namely, uniqueness. Whenever m ≥ 2, uniqueness of the qi becomes a lost
Rings and Polynomials 359
cause because we can always replace q1 g1 + q2 g2 with (q1 + g2 ) g1 + (q2 − g1 ) g2 . The possibility that r might be unique remains, and this is important. However, the uniqueness of r will not come without some constraint on the gi . Example 5.4.2 g1 = x 3 y 2 + 1 ,
g2 = x 2 y 3 + 1 ∈ F [x, y].
Then 0 = 0 · g1 + 0 · g 2 + 0 = y · g1 − x · g 2 + x − y which gives us two distinct ways to write zero in the form q1 g1 + q2 g2 + r where no term of r is divisible by any of the leading terms of g1 and g2 . The critical idea comes from comparing the leading monomials in I = g1 , . . . , gm with lm (g1 ), . . . , lm (gm ). Note that in the previous example that y − x = y · g1 − x · g2 ∈ g1 , g2 . However, lt (g1 ) = x 3 y 2 ,
lt (g2 ) = x 2 y 3
so that neither term in x − y is divisible by lt (g1 ) or lt (g2 ). In some sense this has allowed y − x to slip through the net of the division algorithm. What is critical here is that y − x is still an element of g1 , g2 . Before we get to the solution of this conundrum, we need the following observation. Lemma 5.4.3 Any nonzero ideal I ⊆ F [x1 , . . . , xn ] that is generated by monomials is generated by a finite set of monomials. Proof. The general argument proceeds by induction on n. To keep it reasonably simple, we will just consider the cases n = 1 and 2. These cases will
360 Introduction to Applied Algebraic Systems
illustrate the elements of the general proof quite well. So first let n = 1 and I = x i | i ∈ A where A ⊆ N ∪ {0}. Let m = min{i | i ∈ A}. Then x m ∈ I and we have x m ⊆ I = x i | i ∈ A ⊆ x m so that I = x m , and we have the desired result. Now let I ⊆ F [x, y] and A ⊆ (N ∪ {0}) × (N ∪ {0}) be such that I = x i y j | (i, j) ∈ A. Let J = x i | ∃ j with x i y j ∈ I . If J = {0}, then I ⊆ F [y] and we are back in the single-variable case. So we will assume that J = {0}. Clearly, J is an ideal in F [x] that is generated by monomials and so, by the preceding, J = x m for some integer m. Now let k be such that x m y k ∈ I . Define I0 = x i | x i ∈ I I1 = x i | x i y ∈ I I2 = x i | x i y 2 ∈ I .. . Ik−1 = x i | x i y k−1 ∈ I . Each of these ideals is generated by monomials in F [x] and so each is generated by a single monomial, say Ij = x mj . Now set K = x m y k , x m0 , x m1 y, . . . , x mk−1 y k−1 . Since each generator for K is a monomial in I , it follows immediately that K ⊆ I . Conversely, let x s y t be any monomial in I . We have t ≥ k =⇒ x s ∈ J = x m =⇒ m ≤ s =⇒ x s y t = x s−m y t −k (x m y k ) ∈ K
Rings and Polynomials 361
whereas t < k =⇒ x s ∈ It = x mt =⇒ mt ≤ s =⇒ x s y t = x s−mt (x mt y t ) ∈ K . Thus, in all cases, x s y t ∈ K . Since I is generated by monomials, it follows that I ⊆ K and therefore that I = K , yielding the desired conclusion. Definition 5.4.4 Let I be an ideal in F [x1 , . . . , xn ], g1 , . . . , gk ∈ F [x1 , . . . , xn ]. Then {g1 , . . . , gk } is a Groebner basis for I (with respect to a monomial order) if (i) I = g1 , . . . , gk (ii) g ∈ I , g = 0 ⇒ ∃ i such that lt (gi ) divides lt (g ). Note that, by definition, a Groebner basis is necessarily finite. Theorem 5.4.5 (Buchberger) Every nonzero ideal I in F[x1 , . . . , xn ] has a Groebner basis. Proof. Let M = m | m = lm (f ), for some f ∈ I . By Lemma 5.4.3, there exists a finite set {m1 , m2 , . . . , mk } of monomials that generates M : M = m1 , m2 , . . . , mk . It is easy to see that each of these monomials is the leading monomial of a polynomial in I , say mi = lm (gi )
i = 1, 2, . . . , k
where each gi ∈ I . The polynomials gi are going to be our generators for I . Let f ∈ I . Dividing f by g1 , . . . , gk as in Lemma 5.4.1, we obtain f = a1 g1 + a2 g2 + · · · + ak gk + r where no term in r is divisible by any of the leading terms of g1 , . . . gk . However, r = f − a1 g1 − a2 g2 − · · · − ak gk ∈ I
362 Introduction to Applied Algebraic Systems
which implies that either r = 0 or lm (r) ∈ M = m1 , . . . , mk . However, the latter would imply that mi | lm (r), for some i, and therefore that lt (gi ) | lt (r), which would be a contradiction. So we must have r = 0 and f = a1 g1 + · · · + ak gk ∈ g1 , . . . , gk . Therefore, I ⊆ g1 , . . . , gk and the reverse containment is trivial. Thus I = g1 , . . . , gk . Finally, f ∈ I =⇒ lm (f ) ∈ M =⇒ mi | lm (f ), for some i =⇒ lt (gi ) | lt (f ), for some i. Therefore, {g1 , . . . , gk } is a Groebner basis for I .
One important consequence of Theorem 5.4.5, is a famous result known as Hilbert’s Basis Theorem which states that every nonzero ideal in F [x1 , . . . , xn ] has a finite basis. From this we can attain our goal of a unique remainder under division by multiple divisors, when properly executed. Theorem 5.4.6 (Division Algorithm with Multiple Divisors in F [x1 , . . . , xn ]) Let {g1 , . . . , gk } be a Groebner basis for the ideal I in F [x1 , . . . , xn ]. Let f ∈ F [x1 , . . . , xn ]. Then there exist q1 , . . . , qk , r ∈ F [x1 , . . . , xn ] such that f = q1 g1 + · · · + qk gk + r and no monomial term in r is divisible by any of lt (g1 ), . . . , lt (gk ). Moreover, r is unique. Proof. In light of Lemma 5.4.1, it only remains to verify the uniqueness of r. Let f = q1 g1 + · · · + qk gk + r = q1∗ g1 + · · · + qk∗ gk + r ∗
Rings and Polynomials 363
where no term in r or r ∗ is divisible by any of lt (g1 ), . . . , lt (gk ). Then, r ∗ − r = (q1 − q1∗ )g1 + · · · + (qk − qk∗ )gk ∈ I . If r ∗ − r = 0, then we are done. So suppose that r ∗ − r = 0. Since {g1 , . . . , gk } is a Groebner basis for I , there must exist gi such that lt (gi ) divides lt (r ∗ − r). Now, lt (r ∗ − r) is just the difference between two monomial terms c ∗ m, cm, say, in r ∗ and r, respectively. Thus we can write lt (r ∗ − r) = (c ∗ − c)m. But then the lt (gi ) must divide both c ∗ m and cm, contradicting the assumption that no term in r or r ∗ is divisible by any of lt (g1 ), . . . , lt (gk ). Hence, r ∗ −r = 0 and r ∗ = r, as required. Theorem 5.4.6 provides the solution to the membership problem for ideals in F [x1 , . . . , xn ] that we were looking for. Corollary 5.4.7 Let {g1 , . . . , gk } be a Groebner basis for the ideal I in F [x1 , . . . , xn ] and f ∈ F [x1 , . . . , xn ]. Let f =
qα gα + r
as in Theorem 5.4.6. Then f ∈ I if and only if r = 0. Theorem 5.4.5 may be very satisfying, but it asserts the existence of a Groebner basis leaving one question unanswered. Given an ideal I = g1 , . . . , gk , how do we find a Groebner basis for I ? From Example 5.4.2, we can see that this is not a simple question. However, the very calculation that we performed in Example 5.4.2 is how we find the solution. For any monomial terms m1 = c1 x1α1 · · · xnαn ,
β
m2 = c2 x1 1 · · · xnβn
(c1 , c2 = 0)
we define the least common monomial multiple of m1 and m2 to be max(α1 ,β1 )
lcmm (m1 , m2 ) = x1
· · · xnmax(αn ,βn ) .
364 Introduction to Applied Algebraic Systems
For any g1 , g2 ∈ F [x1 , . . . , xn ], we define g1 ∗ g2 =
lcmm (lt (g1 ), lt (g2 )) lcmm (lt (g1 ), lt (g2 )) g1 − g2 . lt (g1 ) lt (g2 )
The idea is that we take the smallest multiples of g1 and g2 that will enable us to cancel the leading terms through subtraction. For example, with g1 and g2 as in Example 5.4.2, lt (g1 ) = x 3 y 2 ,
lt (g2 ) = x 2 y 3
lcmm (lt (g1 ), lt (g2 )) = x 3 y 3 and g1 ∗ g2 = yg1 − xg2 = y − x. This is the basis for the following result, which we present without proof (see [CLO]). Theorem 5.4.8 (Buchberger’s Algorithm) Let I = g1 , . . . , gk ⊆ F [x1 , . . . , xn ]. Let B1 = {g1 , . . . , gk } and for i = 1, 2, . . . define Ri+1 , Bi+1 as follows: Ri+1 = set of nonzero remainders obtained from all the polynomials g ∗ h, g , h ∈ Bi on division by Bi Bi+1 = Bi ∪ Ri+1 . Then there exists an integer m such that Bm = Bm+1 , and Bm is a Groebner basis for I . The Groebner basis produced by Buchberger’s algorithm may contain some obvious redundancies that can be deleted. There are various refinements that can be introduced and that lead to a unique form of the basis. The Groebner basis generated by Buchberger’s algorithm can look quite different from the original basis. In Example 5.4.2 we have the basis B1 = {a, b}
for
I = a, b
where a = a(x, y) = x 3 y 2 + 1 ,
b = b(x, y) = x 2 y 3 + 1.
Rings and Polynomials 365
With the lexicographic order based on x > y, we compute a ∗ b = y(x 3 y 2 + 1) − x(x 2 y 3 + 1) = y − x. Division of c = −x + y by B1 yields c as the remainder. Hence, B2 = {a, b, c}. We have already computed a ∗ b, so there is no need to recompute it. At this step we just consider a ∗ c and b ∗ c. We have a ∗ c = 1 · (x 3 y 2 + 1) + x 2 y 2 · (−x + y) = x 2y 3 + 1 =b so that the remainder will be zero. Next b ∗ c = 1 · (x 2 y 3 + 1) + xy 3 (−x + y) = 1 + xy 4 where 1 + xy 4 = −y 4 (−x + y) + 1 + y 5 . Thus, the remainder in this case is d = 1 + y5 and B3 = {a, b, c, d}. Continuing, a ∗ d = y 3 (x 3 y 2 + 1) − x 3 (y 5 + 1) = y 3 − x 3 = (y − x)(y 2 + xy + x 2 ) , b ∗ d = y 2 (x 2 y 3 + 1) − x 2 (y 5 + 1) = y 2 − x 2 = (y − x)(y + x),
366 Introduction to Applied Algebraic Systems
c ∗ d = −y 5 (−x + y) − x(y 5 + 1) = −(y 6 + x) = −y(y 5 + 1) + (−x + y). Thus, the remainders from a ∗ d, b ∗ d, and c ∗ d are all zero. Thus, B3 = {x 3 y 2 + 1, x 2 y 3 + 1, −x + y, 1 + y 5 } is a Groebner basis for I = x 3 y 2 + 1, x 2 y 3 + 1. Now any monomial that is divisible by x 3 y 2 or x 2 y 3 is also divisible by the leading term −x of −x + y. Thus, a and b are not needed for any contribution from their leading terms. Moreover, x 3 y 2 + 1 = (−x 2 y 2 − xy 3 − y 4 )(−x + y) + y 5 + 1 x 2 y 3 + 1 = (−xy 3 − y 4 )(−x + y) + y 5 + 1 so that x 3 y 2 + 1, x 2 y 3 + 1 ∈ −x + y, 1 + y 5 . Therefore, I = −x + y, 1 + y 5 and B4 = {−x + y, 1 + y 5 } is a simpler Groebner basis for I . If we had chosen to order the variables with y > x, we would have obtained the Groebner basis B5 = {x − y, 1 + x 5 }. Exercises 5.4 1. Divide the polynomial x 2 z − y 3 by the polynomials x 2 + y, y 2 + z, x + z 2 and the polynomials x + z 2 , y 2 + z, x 2 + z (as in Lemma 5.4.1) to show that the remainder depends on the order in which the divisors are applied.
Rings and Polynomials 367
2. Show that {x + z 2 , y + z 4 , z + z 8 } is a Groebner basis for I = x 2 + y, y 2 + z, z 2 + x ⊆ F [x, y, z] using Buchberger’s algorithm with the lexicographic order based on x > y > z. 3. Let I be an ideal in F [x1 , . . . , xn ] and g1 , . . . , gk ∈ I be such that g ∈ I =⇒ ∃ i such that lt (gi ) divides lt (g ). Show that {g1 , . . . , gk } is a Groebner basis for I . 4. Show that the following three conditions on a ring R are equivalent: (i) For every ascending chain of ideals I1 ⊆ I2 ⊆ . . ., there exists an integer N such that IN = IN +1 = . . .. (ii) Every nonempty set C of ideals contains a maximal ideal. (iii) Every ideal in R is finitely generated.
5.5 Ideals and Affine Varieties
One of the important reasons for studying ideals in F [x1 , . . . , xn ] is their connection with the zeros of polynomials. We begin to explore this relationship in this section. We remind you that, if f = f (x1 , . . . , xn ), g = g (x1 , . . . , xn ) ∈ [x1 , . . . , xn ], then fg denotes the product of polynomials, not the composition of polynomials. Lemma 5.5.1 Let V ⊆ F n . Then I (V ) = {f ∈ F (x1 , . . . , xn ) | f (a1 , . . . , an ) = 0 ∀ (a1 , . . . , an ) ∈ V } is an ideal of F (x1 , . . . , xn ). Proof. Clearly, I (V ) = ∅ because it contains the zero polynomial. Let f , g ∈ I (V ) and (a1 , . . . , an ) ∈ V . Then, (f − g )(a1 , . . . , an ) = f (a1 , . . . , an ) − g (a1 , . . . , an ) =0−0 =0
368 Introduction to Applied Algebraic Systems
and, for any h ∈ F [x, . . . , xn ], we have (hf )(a1 , . . . , an ) = h(a1 , . . . , an ) f (a1 , . . . , an ) = h(a1 , . . . , an ) · 0 = 0. Thus, f − g , hf ∈ I (V ). Since F [x1 , . . . , xn ] is a commutative ring, it follows that I (V ) is an ideal. We refer to I (V ) as the ideal of V or the ideal defined by V . Whenever we come across a new operator like I (−), it is always helpful to pinpoint one or two values in simple situations. The two extreme values for V would be V = ∅ and V = F n . Let f ∈ F [x1 , . . . , xn ]. Then the following implication holds: (a1 , . . . , an ) ∈ ∅ =⇒ f (a1 , . . . , an ) = 0 since there are no points in ∅ to contradict the conclusion. Hence, f ∈ V (∅) so that I (∅) = F [x1 , . . . , xn ]. At the other extreme, when V = F n , the outcome depends on the field F . If F is finite, say F = GF(p m ), then I (F ) = {0} since we know from Lemma 2.9.1 that m x p − x ∈ I (F ). It is a simple exercise to show that m
I (F ) = x p − x. On the other hand, suppose that F is infinite. Then, f ∈ I (F n ) =⇒ f (a1 , . . . , an ) = 0 =⇒ f = 0 Thus, in this case,
∀ (a1 , . . . , an ) ∈ F n
by Theorem 5.2.8.
I (F n ) = {0}.
For another example, suppose that we let P = (a, b) ∈ R2 and set V = {P}. What is I (V )? Clearly, I (V ) does not contain any nonzero constants. Looking at polynomials of degree 1 we see that x − a, y − b ∈ I (V ) so that x − a, y − b ⊆ I (V ).
Rings and Polynomials 369
Now consider any f (x) ∈ I (V ). By Lemma 5.4.1, there exist q(x, y), r(x, y) ∈ F [x, y] and c ∈ F such that f (x, y) = (x − a) q(x, y) + (y − b)r(x, y) + c where no term in c is divisible by either lt(x − a) = x or lt(y − b) = y. Therefore c must be a constant. Then 0 = f (a, b) = (a − a) q(x, y) + (b − b)r(x, y) + c = c. Thus, f (x, y) ∈ x − a, y − b. Therefore, I (V ) ⊆ x − a, y − b, from which it follows that I (V ) = x − a, y − b. This argument is easily extended to yield the following useful observation concerning F n . Let P = (a1 , . . . , an ) be a point in Fn and set V = P. Then I (V ) = x1 − a1 , x2 − a2 , . . . , xn − an From Lemma 5.5.1, we see that subsets of F n define ideals in F [x1 , . . . , xn ]. Conversely, subsets of F [x1 , . . . , xn ] can be used to identify special subsets of F n . For any subset A ⊆ F [x1 , . . . , xn ], we define V (A) = {(a1 , . . . , an ) ∈ F n | f (a1 , . . . , an ) = 0
∀ f ∈ A}.
Another way of viewing V (A) is as the solution set for the set of polynomial equations f (x1 , . . . , xn ) = 0
(f ∈ A).
Any subset of F n of the form V (A), where A ⊆ F [x1 , . . . , xn ] is called an affine variety. If A = {f } has only one element, we may also write V (A) = V (f ). If n = 2, that is if f ∈ F [x1 , x2 ] and is nonconstant, we will refer to V (f ), or simply to f or f = 0, as (defining) a curve. If the degree of f is one, then the curve is a line and if the degree of f is two, then it is a conic. Example 5.5.2 Any linear equation ax + by + c = 0 defines a line in R2 and a linear equation a1 x1 + a2 x2 + · · · + an xn = 0 defines a hyperplane in Rn . Example 5.5.3 The familiar conics provide examples of curves in R2 defined by quadratic polynomials. (1) The empty set: x 2 + y 2 + 1 = 0. (2) A point: (x − a)2 + (y − b)2 = 0. (3) Two intersecting lines: (a1 x + b1 y + c1 )(a2 x + b2 y + c2 ) = 0, where a1 b2 = a2 b1 . (4) A circle: (x − a)2 + (y − b)2 = r 2 . (5) A parabola: (y − b)2 = c(x − a), c = 0.
370 Introduction to Applied Algebraic Systems
(6) An ellipse:
(x − x1 )2 (y − y1 )2 + = 1. a2 b2
(7) A hyperbola:
(x − x1 )2 (y − y1 )2 − = 1. a2 b2
We are a good deal more familiar with affine varieties, as the previous examples illustrate, than with the corresponding ideals. However, it is still useful to identify the extreme values. In this case, it is not difficult to see that V (0) = F n ,
V (F [x1 , . . . , xn ]) = ∅.
We now have mappings from subsets of F n to subsets of F [x1 , . . . , xn ] and back again. What happens when we compose them? Proposition 5.5.4 Let U , V ⊆ F n and A, B ⊆ F [x1 , . . . , xn ]. Then (i) U ⊆ V ⇒ I (V ) ⊆ I (U ), A ⊆ B ⇒ V (B) ⊆ V (A). (ii) V ⊆ V (I (V )), A ⊆ I (V (A)). Proof. (i) Let f ∈ I (V ) and (a1 , . . . , an ) ∈ U . Then (a1 , . . . , an ) ∈ V so that f (a1 , . . . , an ) = 0 . Hence, f ∈ I (U ) and so I (V ) ⊆ I (U ). Now let (a1 , . . . , an ) ∈ V (B) and f ∈ A. Then, f ∈ B and so f (a1 , . . . , an ) = 0. Hence, (a1 , . . . , an ) ∈ V (A) and so V (B) ⊆ V (A). (ii) Let (a1 , . . . , an ) ∈ V . Then, for any f ∈ I (V ) we have f (a1 , . . . , an ) = 0. Hence, (a1 , . . . , an ) ∈ V (I (V )) so that V ⊆ V (I (V )). Similarly, let f ∈ A. Then, for any (a1 , . . . , an ) ∈ V (A) we have f (a1 , . . . , an ) = 0. Hence, f ∈ I (V (A)) so that A ⊆ I (V (A)). As it turns out, we do not lose any affine varieties if we restrict our attention to those of the form V (I ) for some ideal I . Corollary 5.5.5 Let A ⊆ F [x1 , . . . , xn ]. Then V (A) = V (A). Proof. Since A ⊆ A, it follows from Proposition 5.5.4 (i) that V (A) ⊆ V (A). So let (a1 , . . . , an ) ∈ V (A). Consider any f ∈ A. Then there exist
Rings and Polynomials 371
f1 , . . . , fm ∈ A and g1 , . . . , gm ∈ F [x1 , . . . , xn ] with f = g1 f1 + · · · + gm fm . Hence, since fi ∈ A for all i, f (a1 , . . . , an ) = g1 (a1 , . . . , an )f1 (a1 , . . . , an ) + · · · + gm (a1 , . . . , an )fm (a1 , . . . , an ) = g1 (a1 , . . . , an ) · 0 + · · · + gm (a1 , . . . , an ) · 0 = 0. Since this holds for all f ∈ A, it follows that (a1 , . . . , an ) ∈ V (A). Therefore, V (A) ⊆ V (A) and equality prevails. Corollary 5.5.6 The mapping I from the set of affine varieties in F n to the set of ideals in F [x1 , . . . , xn ] is injective. Proof. Let V1 and V2 be distinct affine varieties in F n , say V1 = V (A1 ), V2 = V (A2 ) where A1 , A2 ⊆ F [x1 , . . . , xn ]. Since V1 = V2 , there is no loss in assuming that there exists (a1 , . . . , an ) ∈ V1 \V2 . By the definition of V1 and V2 it follows that there must be an element f ∈ A2 such that f (a1 , . . . , an ) = 0. Consequently f ∈ I (V1 ). But, by Proposition 5.5.4 (ii), f ∈ A2 ⊆ I (V (A2 )) = I (V2 ). Therefore, I (V1 ) = I (V2 ).
In contrast to Corollary 5.5.6, it is easy to see that the mapping V is not injective on ideals. For example, V (x) = V (x 2 ) = · · · = V (x n ). Certain simple combinations of affine varieties are also affine varieties. Lemma 5.5.7 Let U , V ⊆ F n be affine varieties. Then U ∪ V and U ∩ V are also affine varieties. Proof. Let A, B ⊆ F [x1 , . . . , xn ] be such that U = V (A),
V = V (B).
Let AB = {fg | f ∈ A, g ∈ B}.
372 Introduction to Applied Algebraic Systems
We will show that (i) U ∩ V = V (A ∪ B) (ii) U ∪ V = V (AB). (i) Let x = (a1 , . . . , an ) ∈ U ∩V = V (A)∩V (B). Then for any f ∈ A∪B, we have either f ∈ A and x ∈ V (A) or f ∈ B and x ∈ V (B). Either way, f (a1 , a2 , . . . , an ) = 0. Thus, x ∈ V (A ∪ B) and U ∩ V ⊆ V (A ∪ B). Conversely, x ∈ V (A∪B) implies that x ∈ V (A) = U and x ∈ V (B) = V so that x ∈ U ∩ V . Thus, V (A ∪ B) ⊆ U ∩ V and equality prevails. (ii) Let x = (a1 , . . . , an ) ∈ U ∪ V . Then for any f ∈ A, g ∈ B we have that either x ∈ U so that fg (x) = f (x) g (x) = 0 · g (x) = 0 or x ∈ V , yielding fg (x) = f (x) g (x) = f (x) · 0 = 0. Either way, fg (x) = 0 so that x ∈ V (AB). Thus, U ∪ V ⊆ V (AB). Conversely, let x = (a1 , . . . , an ) ∈ V (AB). Suppose that x ∈ U = V (A). Then there must exist f ∈ A such that f (x) = 0. However, x ∈ V (AB). Hence, for all g ∈ B, f (x) g (x) = fg (x) = 0. Since F is a field and f (x) = 0, it follows that g (x) = 0. Hence, x ∈ V (B) = V . Therefore, V (AB) ⊆ U ∪ V and equality prevails. We say that an affine variety U is reducible if there exist affine varieties V and W such that U = V ∪ W,
V = U , W = U .
Otherwise, U is said to be irreducible. Thus, U is irreducible if, whenever U = V ∪ W , for affine varieties V and W then either U = V or U = W . We will now see that every affine variety is just a union of irreducible affine varieties. The proof involves a nice application of Theorem 5.4.5. Theorem 5.5.8 Let V ⊆ F n be an affine variety. Then V is the union of a finite number of irreducible affine varieties. Proof. We argue by contradiction. Suppose that V is not the union of a finite number of irreducible affine varieties. Then V itself must be reducible, say V = V 1 ∪ W1
Rings and Polynomials 373
where V1 and W1 are both affine varieties properly contained in V . They cannot both be a union of a finite number of irreducible varieties (otherwise, V will be the union of a finite number of irreducible varieties). Without loss of generality, we can assume that V1 is not a union of a finite number of irreducible varieties. Then we can write V1 = V2 ∪ W2 where V2 and W2 are affine varieties properly contained in V1 and at least one of V2 , W2 is not a union of a finite number of irreducible varieties. Without loss of generality, we may assume that it is V2 . Now, V = V1 ∪ V2 ∪ W2 . Continuing in this way, we obtain a strictly decreasing sequence of affine varieties: V0 = V ⊃ V1 ⊃ V2 ⊃ · · · . By Proposition 5.5.4 and Corollary 5.5.6, this yields the strictly increasing sequence I (V0 ) ⊂ I (V1 ) ⊂ I (V2 ) ⊂ · · · of ideals. Let I=
∞ ,
I (Vi ).
i=0
It is quite straightforward to verify that I is an ideal in F [x1 , . . . , xn ]. By Theorem 5.4.5, this means that there exists a finite set {f1 , . . . , fm } of polynomials such that I = f1 , . . . , fm . But then, for each i, there exists αi with fi ∈ I (Vαi ). Consequently, with α = max{α1 , . . . , αm } we have f1 , . . . , fm ∈ I (Vαm ). Therefore, I ⊆ I (Vαm ) so that I (Vαm ) = I (Vαm+1 ) = · · · = I which is a contradiction. Therefore the theorem holds.
374 Introduction to Applied Algebraic Systems
Exercises 5.5 1. Sketch the curves in R2 defined by the following polynomials. (i) (ii) (iii) (iv) (v) (vi)
f1 f2 f3 f4 f5 f6
= x − 1. = y + 2. = 3x − 2y + 4. = x 2 + y 2 + 2x − 4y + 5. = y 2 − 16x + 4. = y 2 − x 2.
2. With the notation as in the preceding exercise, sketch the following affine varieties in R2 : (i) (ii) (iii) (iv) (v)
V (f1 f3 ). V (f2 f4 ). V (f3 f5 ). V (f1 , f4 ). V (f2 , f6 ).
3. Find a polynomial f (x, y) ∈ R[x, y] such that the points (1, 1), (2, −1), (3, 1) belong to V (f ). 4. Find a polynomial f (x, y) ∈ R[x, y] such that the points (1, 1), (2, −1), (3, 1), (3, 2) belong to V (f ) but (1, 2) does not belong to V (f ). 5. Let Pi , 1 ≤ i ≤ n be distinct points in R2 . Show that there exists a polynomial f (x, y) ∈ R[x, y] such that V (f ) = {P1 , . . . , Pn }. 6. Find all points in Z27 on the curve C : y 2 − x(x − 1)(x − 2) = 0. 7. Let n ∈ N. Show that In = {f (x, y) ∈ F [x, y] | degree f (x, y) ≥ n} is not an ideal in F [x, y]. 8. Let n ∈ N. Show that Jn = {f (x, y) ∈ F [x, y] | the degree of every monomial in f (x, y) ≥ n} is an ideal in F [x, y]. 9. Let I = I (V ) where V ⊆ F n . Let f ∈ F [x1 , . . . , xn ] be such that f (x1 , . . . , xn )m ∈ I for some m ∈ N. Show that f ∈ I . 10. Show that x 2 + 2xy + y 2 = I (V ) for any V ⊆ R2 . 11. Show that J1 , as defined in Exercise 8, is of the form I (V ) for some V ⊆ F 2. 12. Show that, for m ≥ 2, Jm , as defined in Exercise 8, is not of the form I (V ) for any V ⊆ F 2 . 13. (i) Sketch the curve in R2 defined by the polynomial y − x(x 2 − 3x + 2). (ii) Sketch the curve in R2 defined by the polynomial y 2 − x(x 2 − 3x + 2).
Rings and Polynomials 375
(iii) Determine the slope of the tangents to the curve in (ii) at each point where the curve crosses the x-axis. 14. (i) Sketch the curve in R2 defined by the polynomial y − x(x 2 − 2x + 1). (ii) Sketch the curve in R2 defined by the polynomial y 2 − x(x 2 − 2x + 1). (iii) Determine the slope of the tangents to the curve in (ii) at each point where the curve crosses the x-axis. 15. (i) Sketch the curve in R2 defined by the polynomial y − (x − 1)3 . (ii) Sketch the curve in R2 defined by the polynomial y 2 − (x − 1)3 . (iii) Determine the slope of the tangents to the curve in (ii) at each point where the curve crosses the x-axis. 16. Show that any line segment in R2 of finite nonzero length is not an affine variety. 17. Show that any arc of finite nonzero length on a parabola in R2 (with the x-axis as its principal axis) is not an affine variety. 18. Let f (x, y) ∈ R[x, y] and let the parabola P, defined by the polynomial g (x, y), be such that P ∩ V (f ) is infinite. Show that g (x, y) divides f (x, y). ∗ 19.
Let V , W ⊆ F n . Establish the following: (i) I (V ∪ W ) = I (V ) ∪ I (W ). (ii) I (V ∩ W ) ⊇ I (V ) ∪ I (W ). (iii) Find an example of affine varieties V , W ⊆ R2 such that I (V ) ∪ I (W ) = I (V ∩ W ).
∗ 20.
Let A, B be ideals in F [x1 , . . . , xn ]. Establish the following: (i) V (A ∪ B) = V (A) ∩ V (B). (ii) V (A ∩ B) = V (A) ∪ V (B).
21. Let {Vi | i ∈ I } be a (possibly) infinite family of affine varieties in F n . . (i) Show that Vi is an affine variety. i∈I
(ii) Show that for every subset P of F n there is a smallest affine variety V that contains P. 22. Find - an infinite family {Vi | i ∈ I } of affine varieties such that Vi is not an affine variety. i∈I
23. Let P = (a1 , . . . , an ) be a point in F n . Show that I (P) = x1 − a1 , x2 − a2 , . . . , xn − an is a maximal ideal in F [x1 , . . . , xn ].
376 Introduction to Applied Algebraic Systems
5.6 Decomposition of Affine Varieties
We have seen earlier that every polynomial f in F [x1 , . . . , xn ] is a product of irreducible polynomials and we now see that every affine variety, such as V (f ), is a union of irreducible affine varieties. Is there any connection? First a few general trivialities. Lemma 5.6.1 Let f , g , and fi , 1 ≤ i ≤ m, be polynomials in F [x1 , . . . , xn ]. (i) V (fg ) = V (f ) ∪ V (g ). (ii) I = f1 , . . . , fm ⇒ V (I ) = V (f1 ) ∩ V (f2 ) ∩ · · · ∩ V (fm ). Proof. Exercise (see Lemma 5.5.7).
At first glance it would appear that Lemma 5.6.1 (i) tells us that f reducible =⇒ V (f ) reducible. Unfortunately, it is not quite that simple in general. Consider f = (x − y)(x 2 + y 2 + 2) ∈ R[x, y]. Then f is certainly reducible and V (f ) = V (x − y) ∪ V (x 2 + y 2 + 2). However, V (x 2 + y 2 + 2) = ∅ in R2 . The outcome is different if we consider f ∈ C [x, y]. Then V (x 2 +y 2 +2) = ∅ and V (f ) is indeed reducible. Similarly, it is possible to have f irreducible but V (f ) reducible. Let f (x, y) = y 2 + x 2 (x 2 − 1)2 ∈ R[x, y]. Then f (x, y) is irreducible but V (f ) is reducible. We can write f (x, y) = y 2 −[−x 2 (x 2 −1)2 ] and it then follows from Exercise 7 in section 5.2 that f (x, y) is irreducible. However, V (f ) = {(0, 0), (−1, 0), (1, 0)} = {(0, 0)} ∪ {(−1, 0)} ∪ {(1, 0)} and so is reducible. Thus, the picture is a little bit confused when we work over an arbitrary field, but it will be a little bit simpler if we work over an algebraically closed field. One important consequence of working over an algebraically closed field is that every nonconstant polynomial has a zero. Lemma 5.6.2 Let F be an algebraically closed field and f be a nonconstant polynomial in F [x1 , . . . , xn ]. Then V (f ) = ∅.
Rings and Polynomials 377
Proof. We argue by induction on n. The claim is true when n = 1, since that is just the definition of an algebraically closed field. Now suppose that it is true for polynomials in x1 , . . . , xn−1 and write f as a polynomial in xn f = am xnm + am−1 xnm−1 + · · · + a1 xn + a0 where a0 , . . . , am ∈ F [x1 , . . . , xn−1 ], and am = 0. If am ∈ F , then assign any values xi → αi ∈ F to xi (1 ≤ i ≤ n − 1). Then we obtain a polynomial f1 = am xnm + am−1 (α1 , . . . , αn−1 )xnm−1 + · · · + a0 (α1 , . . . , αn−1 ) ∈ F [xn ]. Since F is algebraically closed, f1 has a root αn so that (α1 , . . . , αn ) ∈ V (f ). Now suppose that am is nonconstant. Then, so is am (x1 , . . . , xn−1 ) − 1 ∈ F [x1 , . . . , xn−1 ] and, by the induction hypothesis, there exists (α1 , . . . , αn−1 ) ∈ V (am − 1). Consequently am (α1 , . . . , αn−1 ) = 1 so that f2 (xn ) = f (α1 , . . . , αn−1 , xn ) = xnm + am−1 (α1 , . . . , αn−1 )xnm−1 + · · · + a0 (α1 , . . . , αn−1 ) ∈ F [xn ]. Since F is algebraically closed, there exists αn ∈ V (f2 ). Then (α1 , . . . , αn ) ∈ V (f ). For any f ∈ F [x1 , . . . , xn ], we know that f ∈ I (V (f )) so that f ⊆ I (V (f )). In general, this inclusion will be proper (consider f (x) = x 2 ). In one important circumstance, however, we do have equality. The next result is a special case of a theorem known as Hilbert’s Nullstellensatz (see Theorem 5.6.7 below). It will help us to shed some light on the relationship between the factorization of a polynomial f and the decomposition of V (f ). Theorem 5.6.3 Let F be an algebraically closed field and f ∈ F [x1 , . . . , xn ] be an irreducible polynomial. Then I V (f ) = f . Even Theorem 5.6.3 does not hold over an arbitrary field. Consider f (x, y) = x 2 + y 4 , g (x, y) = x 2 + y 2 ∈ R[x, y]. Both of these polynomials are irreducible while V (f ) = {(0, 0)} = V (g ). Thus, g ∈ I (V (f )), but g ∈ f .
378 Introduction to Applied Algebraic Systems
The next observation will be extremely useful, especially in chapter 6. Corollary 5.6.4 Let F be an algebraically closed field and f , g ∈ F [x1 , . . . , xn ]. (i) If f is irreducible and V (f ) ⊆ V (g ), then f divides g . (ii) If f is irreducible then V (f ) is also irreducible. Proof. (i) We have g ∈ I (V (g ))
by Proposition 5.5.4 (ii)
⊆ I (V (f ))
by Proposition 5.5.4 (i)
= f
by Theorem 5.6.3
so that f divides g . (ii) By way of contradiction, suppose that V (f ) = V (A) ∪ V (B), for some affine varieties V (A), V (B) where V (A) and V (B) are both proper subsets of V (f ). By Corollary 5.5.5, we may assume that A and B are ideals in F [x1 , . . . , xn ]. By Theorem 5.4.5, there exist polynomials fi , gj with A = f1 , . . . , fk ,
B = g1 , . . . , g .
If f divides fi for all i, then V (f ) ⊆ V (fi ) for all i, so that V (f ) ⊆ V (A), which is a contradiction. Without loss of generality, assume that f does not divide f1 . For any gj , we have V (f ) = V (f1 , . . . , fk ) ∪ V (g1 , . . . , g ) =
k $5
% % $5 V (gj ) V (fi ) ∪
i=1
j=1
⊆ V (f1 ) ∪ V (gj ) = V (f1 gj )
by Lemma 5.6.1.
By part (i), this yields that f divides f1 gj , but not f1 . By Lemma 5.2.4, f | gj . Since gj was chosen arbitrarily, we have that f | gj for all j = 1, . . . , . Hence, V (f ) ⊆
5
V (gj ) = V (g1 , . . . , g ) = V (B)
which is a contradiction. Therefore the claim holds.
Note that the converse of Corollary 5.6.4 (ii) does not hold since, if V (f ) is irreducible, then so is V (f 2 ) = V (f 3 ) = · · · = V (f ), but f k is reducible for k > 1. However, if we eliminate powers, then we can do much better.
Rings and Polynomials 379
Theorem 5.6.5 Let F be an algebraically closed field and f ∈ F [x1 , . . . , xn ]. Let f =
m
fi α i
i=1
where the fi are distinct (in the sense that no two are scalar multiples of each other) irreducible polynomials in F [x1 , . . . , xn ]. (i) V (f ) = V (f1 ) ∪ V (f2 ) ∪ · · · ∪ V (fm ). (ii) I V (f ) = f1 · · · fm . (iii) If V (f ) = W1 ∪ W2 ∪ · · · ∪ W where each Wj (1 ≤ j ≤ ) is an irreducible affine variety, then = m and the Wj can be reordered so that Wi = V (fi ), i = 1, . . . , m. Proof. (i) By Lemma 5.6.1, V (f ) =
m ,
V (fiαi ) =
i=1
m ,
V (fi ).
i=1
(ii) From (i), V (f ) =
m ,
V (fi ) = V (f1 · · · fm )
i=1
=⇒ f1 · · · fm ∈ I V (f1 · · · fm ) = I V (f ) =⇒ f1 · · · fm ⊆ I V (f ). Conversely, g ∈ I V (f ) =⇒ V (f ) ⊆ V (g ) =⇒ V (fi ) ⊆ V (f ) ⊆ V (g ) =⇒ fi | g
by Corollary 5.6.4 (i)
=⇒ f1 · · · fm | g =⇒ g ∈ f1 · · · fm . Therefore equality prevails. (iii) See the exercises. We are now in a position to round out the result in Corollary 5.6.4 (ii). Corollary 5.6.6 Let F be an algebraically closed field and f ∈ F [x1 , . . . , xn ]. Then V (f ) is irreducible if and only if f = g α for some irreducible polynomial g ∈ F [x1 , . . . , xn ] and some α ∈ N.
380 Introduction to Applied Algebraic Systems
Proof. If f = g α where g is irreducible, then V (f ) = V (g α ) = V (g ) is irreducible by Corollary 5.6.4 (ii). Conversely, assume that V (f ) is irreducible and let f = f1α1 · · · fmαm where the fi are distinct irreducible polynomials in F [x1 , . . . , xn ]. Then, by Theorem 5.6.5, V (f ) = V (f1 ) ∪ · · · ∪ V (fm ) where the V (fi ) are the irreducible components of V (f ). Since V (f ) is irreducible, we must have m = 1 and f = f1α1 , where f1 is irreducible, as required. One concluding remark is appropriate here. We have seen that for every ideal J in F [x1 , . . . , xn ], we have J ⊆ I (V (J )) and that the containment may be proper. For instance, for any polynomial f in F [x1 , . . . , xn ] and for every positive integer m, it is clear that f ∈ I (V (f m )). The following remarkable result shows that the difference between J and I (V (J )), when working over an algebraically closed field, does not get much more complicated than that. Theorem 5.6.7 Hilbert’s Nullstellensatz. Let F be an algebraically closed field and let J be an ideal in F[x1 , . . . xn ]. Then # " I (V (J )) = f ∈ F [x1 , . . . , xn ]|∃m, f m ∈ I . Proof. See ([Ful], page 21) or ([Hu], Chapter 1). Exercises 5.6 In the exercises to follow we will show that the representation in Theorem 5.6.5 of V (f ) as a union of irreducible varieties is essentially unique. We continue with the notation of Theorem 5.6.5. 1. Let g , gi , hi ∈ F [x1 , . . . , xn ], where F is algebraically closed, be such that gi = ghi for i = 1, . . . , k and deg (g ) ≥ 1. Establish the following: (i) V (g1 , . . . , gk ) = V (g ) ∪ V (h1 , . . . , hk ). (ii) If V (g1 , . . . , gk ) is irreducible, then V (g1 , . . . , gk ) = V (g ) . 2. Let f be as in Theorem 5.6.5 and V (f ) = W1 ∪ W2 ∪ · · · ∪ W where each Wj is an irreducible affine variety and no Wj is superfluous. Establish the following: (i) For each i (1 ≤ i ≤ m) there exists a βj (1 ≤ βj ≤ ) such that V (fi ) ⊆ Wβi .
Rings and Polynomials 381
(ii) If Wβi = V (g1 , . . . , gk ), then fi | gj for all j. (iii) V (fi ) = Wβi . (iv) = m and the decomposition of V (f ) in Theorem 5.6.5 is unique. 3. Let F be an algebraically closed field and f , g ∈ F [x1 , . . . , xn ]. Show that V (f ) = V (g ) ⇐⇒ f and g have the same irreducible factors.
5.7 Cubic Equations in One Variable
By way of background to the study of certain cubic equations in two variables that will be the focus of our attention later, we consider here the solution of the general cubic equation a3 x 3 + a 2 x 2 + a 1 x + a 0 = 0
(a3 = 0)
(5.11)
in one variable over a field of characteristic different from 2 and 3 and in which it is possible to construct square and cube roots. As the argument is the same in all these cases and because the complex case is of greatest interest to us, we assume the base field to be C. The first reduction is to a monic polynomial equation of the form x 3 + b2 x 2 + b1 x + b 0 = 0
(5.12)
by the simple expedient of multiplying both sides of (5.11) by a3−1 . Now, substituting x = y − b2 /3 in (5.12) our polynomial becomes 1 1 1 (y − b2 )3 + b2 (y − b2 )2 + b1 (y − b2 ) + b0 3 3 3 3 2 = y + 0 · y + py + q for suitable p and q since the terms in y 2 cancel. Thus, our problem reduces to solving the equation y 3 + py + q = 0.
(5.13)
Now, substituting y=z−
p 3z
(5.14)
382 Introduction to Applied Algebraic Systems
we have to solve $ $ p %3 p% +q +p z − 0 = y 3 + py + q = z − 3z 3z p3 p2 p2 − +q + pz − = z 3 − pz + 3z 27z 3 3z p3 + q. = z3 − 27z 3 Multiplying through by z 3 we obtain (z 3 )2 + q(z 3 ) −
p3 =0 27
a quadratic in z 3 . Applying the standard solution for a quadratic equation we obtain z3 =
−q + α 2
(5.15)
where α is either of the roots of the equation w 2 = q2 +
4p 3 . 27
(5.16)
Taking cube roots in (5.15) yields six possible values for z. We could write these as *1/3 ) 6 q2 p3 q + (5.17) z= − + 2 4 27 √ sign stands for either root of (5.16). where the Thus we have shown that we can solve equation (5.13) by proceeding as follows: (1) Solve (5.16). (2) Substitute the solutions from (5.16) in (5.17) and solve (5.17). (3) Substitute the solutions from (5.17) in (5.14). (4) Substitute the solutions from (5.14) in the equation x = y − b2 /3. Of course we know from the general theory that there can be, at most, three distinct solutions to equation (5.13). Thus, our six possible solutions to equation (5.17) must collapse to, at most, three distinct solutions when we make the substitution in (5.14). Note that we can rewrite equation (5.14) as z 2 − 3yz − p = 0
(5.18)
Rings and Polynomials 383
which is a quadratic in z. Thus, for each of our solutions for y there will, in general, be two values of z that provide solutions to (5.18) and, therefore, the same value of y when substituted into (5.14). There is one observation that can be made when we are working over the field C. Proposition 5.7.1 If 4p 3 + 27q 2 = 0, then the equation y 3 + py + q = 0 has three distinct solutions in C. 4p 3
Proof. If 4p 3 + 27q 2 = 0, then q 2 + 27 = 0 and the equation (5.16) has two distinct solutions. Hence, equation (5.17) must have six distinct solutions leading, in (5.14), to three distinct solutions to (5.13). The expression 4p 3 + 27q 2 will figure prominently in our discussions of elliptic curves later. Exercises 5.7 1. (i) Let p ∈ C. Show that the mapping ϕ: z →z−
p 3z
(z ∈ C)
is surjective (from C to C) for all p ∈ C. (ii) Show that, for p = 0, ϕ is not injective. 2. Let α, β ∈ C and α = β. Show that V (x 3 − α) ∩ V (x 3 − β) = ∅. 5.8 Parameters
Given a set of polynomial equations fi (x1 , . . . , xn ) = 0, natural questions to ask are: In what form would we hope or like to describe the solution set? What is it that we would like to achieve? After all, the equations as they stand, assuming that there are only finitely many of them, are well suited to testing whether a given point x = (a1 , . . . , an ) is in the solution set or not. All that we have to do is substitute the values of the ai ’s for the xi ’s in each fi and see if the result reduces to zero. However, this does not help us to find or produce solutions. What we want is a way to list, or at least generate, solutions. A good way to do this is with parameters. We say that we have a parametric solution to the system of equations fi (x1 , . . . , xn ) = 0 (i = 1, . . . , m) if the solutions are given by the equations xi = pi (t1 , . . . , tk )
(1 ≤ i ≤ n)
384 Introduction to Applied Algebraic Systems
where the parameters tj range freely over sets of values Aj (1 ≤ j ≤ k) for suitable Aj . A parametric solution makes it easy to generate many solutions; we just feed in as many different values of the parameters tj as we please. In particular, this makes it easy to plot solutions if we are working with polynomials in two or three variables over R or Q. This concept is almost certainly not new to you. A good illustration is the way that we solve systems of linear equations. Consider the system of equations in F [w, x, y, z]: w w 2w 3w
+ x+y+ z + 2x − z + 3x + y + 7x − y − 5z
=0 =0 =0 = 0.
Gaussian elimination yields the solution w = − 2y − 3z x= y + 2z. We can write this in parametric form as w x y z
= −2s − 3t = s + 2t = s = t.
(5.19)
Then every choice of the parameters s, t ∈ R yields a solution, and every solution can be obtained in this way. A very important special case of this leads to a parametric description of a line. For any field F we define a line in F 2 to be the set of solutions to an equation of the form L : lx + my + n = 0
(l, m, n ∈ F )
where at least one of l, m is nonzero. If l = 0, then we can solve this equation as x = −l −1 my − l −1 n. Since the value of y is unconstrained, we can easily write this solution in parametric form as x = −l −1 mt − l −1 n y = t.
Rings and Polynomials 385
In a similar manner, if m = 0, then we can obtain a parametric solution of the form x=t y = −m −1 lt − m −1 n. Either way, we obtain a solution in the form x = a + ct y = b + dt
(5.20)
where a, b, c, d ∈ F , (a, b) is a point on L, and lc + md = 0. Conversely, given any point (a, b) on L and c, d ∈ F with lc +md = 0, any point with coordinates given by (5.20) will lie on L and every point on L can be so described. Henceforth, when we speak of the parametric equations of a line or a line in parametric form, we will mean a system of parametric equations as in (5.20). Note that when a line L is given in parametric form, as in (5.20), then (1) the point (a, b) lies on L (2) if the base field is R and c = 0, the slope of L is given by c −1 d. If c = 0, then the line is parallel to the y-axis and is given by the equation x = a. Note that distinct values of c and d do not necessarily define different lines in (5.20). If c = λc, d = λd (λ = 0), then the line x = a + c t = a + c(λt ) y = b + d t = b + d(λt ) is clearly the same line as that defined in (5.20). Conversely, suppose that L is also defined by x = a + c t y = b + d t . With t = 1, we see that (a + c , b + d ) ∈ L. Hence there must exist a value t = λ with (a + c , b + d ) = (a + cλ, b + dλ) so that we have c = λc,
d = λd
386 Introduction to Applied Algebraic Systems
where, since one of c , d is nonzero, λ = 0. Thus, the line L is really defined by the pair (c, d) to within nonzero scalar multiples—an idea to which we will return shortly. For any two points P1 = (x1 , y1 , z1 ), P2 = (x2 , y2 , z2 ), in R3 , the standard form for the line through P1 and P2 is x − x1 y − y1 z − z1 = = . x2 − x1 y2 − y 1 z2 − z1 If x2 = x1 , then we drop the first expression and add the equation x = x1 , with similar treatment if y2 = y1 or z2 = z1 . Assuming that x2 − x1 = a = 0, y2 − y1 = b = 0, and z2 − z1 = c = 0, we obtain the familiar form x − x1 y − y1 z − z1 = = . a b c If we set this quantity to equal t , then we immediately obtain the parametric equations for a line in R3 : x = x1 + at y = y1 + bt z = z1 + ct . The nondegenerate conics (circles, ellipses, parabolas, hyperbolas) in R2 can all be nicely parameterized. The secret is to choose a suitable point and line to achieve the parameterization, by mapping the line to the conic. Intuitively, we are simply wrapping a line around the conics. Consider the ellipse E:
y2 x2 + =1 9 4
(5.21)
..... ... .. ... ... ... . . . . . . . . . . . . . . . . . . . . . . . . . . ............................................. . ....... . . . . . . . . ........... . . . ... . .... . . . ........ . . . . ... . ... ....... . . . . . ... . .... ... . . .... . . ... ... ... . . .... ... . ................................................................................................................................................................................................................................................................ .. . ... .. ..... ... .... . . . ..... .... ..... ....... ....... ......... ... ........ ............ ... ........... . . . . ................... . . . . . . . . . . . . .............................................. .... ... ... ... ... .
r (0, t )
(−3, 0) P
(0, 2)
0
(3, 0)
Rings and Polynomials 387
Let Lt denote the line through the points (0, t ), (−3, 0). This line has slope t /3 and y-intercept t so that t Lt : y = x + t . 3
(5.22)
To see where this intersects the ellipse, we substitute for y from (5.22) into (5.21): t 2 ( 13 x + 1)2 x2 + =1 9 4 or 4x 2 + t 2 (x + 3)2 = 36 or (4 + t 2 )x 2 + 6t 2 x + (9t 2 − 36) = 0. However, since Lt passes through the point (−3, 0), we know that (x + 3) must be a factor of the left-hand side. Thus we obtain (x + 3)((4 + t 2 )x + (3t 2 − 12)) = 0 so that Lt intersects E in a second point where (4 + t 2 )x + 3t 2 − 12 = 0 or x=
12 − 3t 2 4 + t2
(5.23)
and from (5.22) y=
t 12 − 3t 2 · +t 3 4 + t2
4t − t 3 + 4t + t 3 4 + t2 8t = . 4 + t2
=
Thus we obtain the parameterization x=
12 − 3t 2 8t , y= . 4 + t2 4 + t2
(5.24)
388 Introduction to Applied Algebraic Systems
To check our work, we can substitute the parameterization from (5.23) and (5.24) back in (5.21) and confirm that the points with coordinates given by (5.23) and (5.24) do indeed lie on E. Thus, in (5.23) and (5.24) we, have a parameterization of E. Note that the parameterization is not a perfect match as one point (namely, P) is not captured. For this we need to be able to substitute the value t = ∞. In the world of projective spaces (see subsequent sections), this will make perfectly good sense. To obtain the previous parameterization of the ellipse, we basically, wrapped a line (x = 0 in this case) around the ellipse. There are other ways of obtaining parameterizations. For example, consider the circle x 2 + y 2 = 1. Here we can resort to the familiar polar coordinates to characterize the points: x = cos θ ,
y = sin θ
(0 ≤ θ < 2π).
This parameterization of the circle is fine for the purposes of calculus. However, it uses trigonometric functions when we would prefer to stick to polynomials. We can’t quite do this with this example, but we can get a parametric solution in terms of rational expressions in polynomials. Let t = tan θ/2. Then standard trigonometric formulas yield cos θ =
1 − t2 , 1 + t2
sin θ =
2t . 1 + t2
Thus we obtain the parametric solution x=
1 − t2 , 1 + t2
y=
2t 1 + t2
for t ∈ R. Unfortunately, this solution is not quite perfect either. To have y = 0, we must substitute t = 0. When we do this we also must have x = 1. Thus, there is no way to obtain the solution (−1, 0), which is definitely one of the points on the circle. However, it turns out that the fact that we miss one point or even several points is not always important. Let V be an affine variety in F n . Let m ∈ N, and pi (t1 , . . . , tm ), qi (t1 , . . . , tm ) ∈ F [t1 , . . . , tm ]
(1 ≤ i ≤ n)
be such that V∗ =
/$ p (t , . . . , t ) 0 pn (t1 , . . . , tm ) % 1 1 m , ... , ti ∈ F , qj (t1 , . . . , tm ) = 0 ⊆ V . q1 (t1 , . . . , tm ) qn (t1 , . . . , tm )
Rings and Polynomials 389
If V is the smallest affine variety containing V ∗ then we say that V is parameterized by the equations xi =
pi (t1 , . . . , tm ) qi (t1 , . . . , tm )
(1 ≤ i ≤ n)
(5.25)
or that (5.25) is a parameterization of V . Parameterizable affine varieties are rather special, but are nice to work with. In (5.23) and (5.24), we found a parameterization of the ellipse. If qi (t1 , . . . , tm ) = 1 for 1 ≤ i ≤ n, then we refer to (5.25) as a polynomial parametrization. It is the following result that makes V ∗ so useful. Lemma 5.8.1 With V and V ∗ as noted earlier, I (V ) = I (V ∗ ). Proof. Since V ∗ ⊆ V , we immediately have I (V ) ⊆ I (V ∗ ). However, f ∈ I (V ∗ ) =⇒ V ∗ ⊆ V (f ) =⇒ V ⊆ V (f )
by the minimality of V
=⇒ f ∈ I (V ). Thus, I (V ∗ ) ⊆ I (V ) and I (V ) = I (V ∗ ).
For the sake of simplicity, we will focus our attention on a single parametric variable t —that is, we will take m = 1. There is an important connection between the parameterizability and the irreducibility of an affine variety. But first we will introduce a useful criterion for the irreducibility of an affine variety V in terms of I (V ). We say that an ideal I in a ring R is a prime ideal if a, b ∈ R, ab ∈ I =⇒ either a ∈ I or b ∈ I . For example, in Z we know that every ideal I is of the form I = m Z for some m ∈ N ∪ {0}. If m = ab with 1 ≤ a, b < m, then a, b ∈ I but ab = m ∈ I and I is not prime. On the other hand, if m = p is prime and ab ∈ p Z, then p | ab so that p | a or p | b implying that either a ∈ I or b ∈ I . Thus, I is prime. Consequently, I = m Z is a prime ideal if and only if m is prime. Lemma 5.8.2 Let V ⊆ F n be an affine variety. Then V is irreducible if and only if I (V ) is a prime ideal. Proof. See the exercises.
Now we can demonstrate the link between the parameterizability of an affine variety and its irreducibility.
390 Introduction to Applied Algebraic Systems
Theorem 5.8.3 Let F be an infinite field and V ⊆ F n be an affine variety parameterized by xi =
pi (t ) qi (t )
(1 ≤ i ≤ n)
where pi (t ), qi (t ) ∈ F [t ]. Then V is irreducible. Proof. We will only consider the case of a polynomial parameterization here. The general case, which requires some extra work to clear the denominators, will be left to the exercises. Let V ∗ = {(p1 (t ), . . . , pn (t )) | t ∈ F }. Then I (V ) = I (V ∗ ) so, by Lemma 5.8.2, it suffices to show that I (V ∗ ) is a prime ideal. Let f , g ∈ F [x1 , . . . , xn ] and h = fg . Then h = fg ∈ I (V ∗ ) =⇒ h(a1 , . . . , an ) = 0
∀ (a1 , . . . , an ) ∈ V ∗
=⇒ h(p1 (t ), . . . , pn (t )) = 0 =⇒ h(p1 (t ), . . . , pn (t ))
∀t ∈ F
is the zero polynomial in t
since F is infinite =⇒ f (p1 (t ), . . . , pn (t )) g (p1 (t ), . . . , pn (t )) = 0 as polynomials in t =⇒ either f (p1 (t ), . . . , pn (t )) = 0 or
g (p1 (t ), . . . , pn (t )) = 0
=⇒ either f (p1 (t ), . . . , pn (t )) = 0 or
g (p1 (t ), . . . , pn (t )) = 0
=⇒ either f ∈ I (V ∗ )
as polynomials ∀t ∈ F ∀t ∈ F
or g ∈ I (V ∗ ).
Thus, I (V ) = I (V ∗ ) is a prime ideal and, by Lemma 5.8.2, V is irreducible. In one sense, Theorem 5.8.3 just appears to transfer the problem of showing that V is irreducible to showing that V is the smallest affine variety containing V ∗ (as defined in the proof). This may not be very easy either, but it does provide another tool. Consider the ellipse discussed earlier. There we had a parameterization for which V ∗ consisted of all points on the ellipse except for (−3, 0). Let f (x, y) ∈ R[x, y] be such that f is zero at all points in V ∗ . Then, for any neighborhood N of (−3, 0), there must be a point (a, b) ∈ N (indeed many points) such that f (a, b) = 0. But clearly, f (x, y), viewed as a function in two variables, is continuous. Hence, we must have f (−3, 0) = 0.
Rings and Polynomials 391
Consequently, any affine variety that contains V ∗ must also contain the point 2 2 y2 y2 (−3, 0) and therefore contains V ( x9 + 4 − 1)—that is, V ( x9 + 4 − 1) is the smallest affine variety containing V ∗ and is therefore irreducible. Clearly, this kind of continuity argument can be applied to many affine varieties in R3 for which we have a parameterization missing a finite number of points. We have been concerned in this section with finding a parameterization of an affine variety and with the benefits of having a parameterization. However, we also would like to have an equational basis for affine varieties; they often relate better to our intuition and experience. For example, we instantly recognize x 2 + y 2 = 0 as defining a circle, and so on. In some situations we may have a parametric description of a variety and want to generate an equational description. This process is known as implicitization. In some situations, it is pretty straightforward just to eliminate the parameters. For example, if we have the parametric equations x = t 2, y = t 3, z = t 4 then we clearly have x 2 = z, y = xz so that we could reasonably expect that the equations x 2 − z = 0, xz − y = 0 will define our curve. This leads us to one very important application of Groebner bases. For less transparent situations than that just described, Groebner bases provide a way to get equations that define a variety that is initially described by parametric equations. Suppose that we have x1 = f1 (t1 , . . . , tm ) x2 = f2 (t1 , . . . , tm ) ... = ... xn = fn (t1 , . . . , tm ). Then we can apply Buchberger’s algorithm (Theorem 5.4.7) to the ideal I = f1 (t1 , . . . , tm ) − x1 , f2 (t1 , . . . , tm ) − x2 , . . . fn (t1 , . . . , tm ) − xn
392 Introduction to Applied Algebraic Systems
with the lexicographic ordering t1 > t2 > · · · > tm > x1 > x2 . . . > xn to obtain a Groebner basis for I . Buchberger’s algorithm progressively eliminates the variables t1 , t2 , . . . , tm until we are eventually left with polynomials in just the variables x1 , . . . , xn . The polynomials in the basis that involve only the variables x1 , . . . , xn will generally provide equations for the smallest variety containing the parameterization. Slightly modified, the same technique will work for rational parameterizations. Example 5.8.4 Consider the parameterization x = 2 − t 2, y = t − t 3. Let I = t 3 − t + y, t 2 + x − 2. With the lexicographic order t > x > y, Buchberger’s algorithm will yield the following Groebner basis: {t 3 − t + y, t 2 + x − 2, t (1 − x) + y, ty + (1 − x)(x − 2), y 2 + (x − 1)2 (x − 2)}. Thus, the smallest variety containing the parameterization is defined by the equation y 2 + (x − 1)2 (x − 2) = 0. Exercises 5.8 1. Find parametric equations for the lines in R2 defined by the equations (i) x = −2 (ii) y = 3 (iii) 2x + y − 5 = 0. 2. Find the equations of the following parametrically defined lines in the form ax + by + c = 0. (i) x = 1 + 2t , y = 2 − t . (ii) x = −2 , y = 1 + t. 3. Find parametric equations for the circle in R2 defined by the equation x 2 +y 2 −4 = 0 using (i) the point (−2, 0) and the line x = 0 (ii) the point (−2, 0) and the line x = −3.
Rings and Polynomials 393
4. (i) Find parametric equations for the ellipse E in R2 defined by the equation x 2 /4 + y 2 /9 − 1 = 0 using the point (−2, 0) and the line x = 0. (ii) Show that the parametric equations that you obtain define a bijection from the line x = 0 to E with the point (−2, 0) removed. 5. Find parametric equations for the parabola in R2 defined by the equation y 2 − 4(x − 1) = 0. 6. Find parametric equations for the hyperbola in R2 defined by the equation x 2 − y 2 − 1 = 0. 7. Find parametric equations for the curve y 2 − x(x − 1)2 in R2 using the line x = 0 and the point (1, 0). 8. Let f (x, y, z) = x 2 + y 2 + (z − 1)2 − 1 ∈ R3 [x, y, z]. Then V (f ) is the surface of a sphere. Use the point (0, 0, 2) ∈ V (f ) and points (u, v, 0) in the xy plane to obtain the following parameterization of V (f ):
x=
u2
4u , + v2 + 4
y=
u2
4v , + v2 + 4
z=
2u 2 + 2v 2 . u2 + v 2 + 4
9. Show that the process of parameterizing the ellipse E in Exercise 4 by a line can be reversed. In other words, it is possible to reverse the roles and parameterize the line x = 0 by (all but one of) the points on E. 10. Describe all the prime ideals in F [x]. 11. Show that I = x, y, z ⊆ F [x, y, z] is a prime ideal that is not principal. 12. Let V , V1 , and V2 be affine varieties in F n , where V1 and V2 are proper subsets of V and V = V1 ∪ V2 . Let fi , gj ∈ F [x1 , . . . , xn ] for 1 ≤ i ≤ , 1 ≤ j ≤ m, V1 = V (f1 , . . . , f ), and V2 = V (g1 , . . . , gm ). Establish the following: (i) (ii) (iii) (iv)
∃ i0 , j0 such that V ⊆ V (fi0 ) and V ⊆ V (gj0 ). fi0 , gj0 ∈ I (V ). fi0 gj0 ∈ I (V ). I (V ) is not prime.
13. Let V be an irreducible affine variety in F n . Let f , g ∈ F [x1 , . . . , xn ]. Establish the following: (i) V ∩ V (fg ) = (V ∩ V (f )) ∪ (V ∩ V (g )). (ii) f , g ∈ I (V ) ⇒ fg ∈ I (V ). (iii) I (V ) is a prime ideal.
394 Introduction to Applied Algebraic Systems ∗ 14.
Let F be an infinite field and V ⊆ F n be an affine variety parameterized by xi =
pi (t ) qi (t )
(1 ≤ i ≤ n)
where pi (t ), qi (t ) ∈ F [t ]. Show that V is irreducible.
5.9 Intersection Multiplicities
In this section we will consider the manner in which a line can intersect a curve. We begin by considering an example. Let f (x, y) = x 2 + y 2 − 2 ∈ F [x, y] and C = V (f ). Clearly, P = (1, 1) ∈ C. Consider an arbitrary line L through P that is given by the parametric equations x = 1 + ct , y = 1 + dt ,
(5.26)
where not both c and d are zero. In fact, since we will want to divide by c 2 + d 2 at one point later, we need the slightly stronger assumption that c 2 + d 2 = 0. This would follow automatically from the assumption that not both c and d are zero in fields such as Q and R, but this does not necessarily follow in fields such as Zp and C. To examine the points of intersection of this line with C, we substitute the parametric expressions into f (x, y) to obtain f (1 + ct , 1 + dt ) = (1 + ct )2 + (1 + dt )2 − 2 = 1 + 2ct + c 2 t 2 + 1 + 2dt + d 2 t 2 − 2 = t (2(c + d) + (c 2 + d 2 ) t ) and equate this to zero to obtain t (2(c + d) + (c 2 + d 2 )t ) = 0. Since we constructed the line L so that it would pass through the point P and since P is given by the value t = 0, it is no surprise that one solution is given by t = 0. This just reflects the fact that P lies on the curve C. A “second” point of intersection is obtained by setting 2(c + d) + (c 2 + d 2 ) t = 0
Rings and Polynomials 395
to obtain t=
−2(c + d) . c2 + d2
Thus, L meets C in two distinct points, except when c = −d, in which case f (1 + ct , 1 + dt ) = t 2 (c 2 + d 2 ). Equating this to zero, we have t 2 (c 2 + d 2 ) = 0 which has a “double” solution at t = 0. We describe this by saying that L meets C “twice” at the point P. We naturally consider this line to be the tangent to C at P (although later we will give a precise definition of what we mean by a tangent). This leads us to the concept of intersection multiplicity. Let f (x, y) ∈ F [x, y] and P = (a, b) ∈ C = V (f (x, y)). Let L be the line given by parametric equations x = a + ct y = b + dt . Let f (a + ct , b + dt ) = t m g (t )
(5.27)
where m ≥ 1 and g (0) = 0. Then the intersection multiplicity of L with C at P is defined to be m. It is important to appreciate the following: (i) f (a + ct , b + dt ) is a polynomial in t . (ii) When t = 0, we have f (a + c · 0, b + d · 0) = f (a, b) = 0 since P ∈ C. (iii) In light of (i) and (ii), the constant term in f (a + ct , b + dt ) must be zero. It is for this reason that we know that we must be able to write f (a + ct , b + dt ) in the form (5.27) with m ≥ 1. As a second example, consider the curve C = V (f (x, y)) where f (x, y) = y − x 3 + 6x 2 − 14x + 7 ∈ F [x, y].
396 Introduction to Applied Algebraic Systems
Then P = (2, 5) ∈ C. Let L be the line x = 2 + ct y = 5 + dt . Thus L and C intersect at the point P. To determine the multiplicity of their intersection at P, we substitute the parametric description of L into f (x, y) to obtain f (2 + ct , 5 + dt ) = dt − c 3 t 3 − 2ct = t (d − 2c − c 3 t 2 ). Thus, provided d = 2c, the intersection multiplicity is 1 whereas, if d = 2c, then f (2 + ct , 5 + dt ) = −c 3 t 3 and the multiplicity of intersection is 3. The two examples considered so far conform to our initial expectations that a line will normally meet a curve at a point of intersection multiplicity one unless we happen to be considering a tangent line where the multiplicity would be higher. However, life is not always quite that simple. Consider the curve C = V (f (x, y)) where f (x, y) = (y − 2)2 − (x − 1)3 . Then P = (1, 2) ∈ C. Let L be the line defined by x = 1 + ct y = 2 + dt . Then L passes through P. To determine the multiplicity of intersection at the point P, consider f (1 + ct , 2 + dt ) = d 2 t 2 − c 3 t 3 = t 2 (d 2 − c 3 t ). Then, for d = 0, the multiplicity of intersection is 2 whereas, for d = 0, the multiplicity is 3. In particular, every line through P has intersection multiplicity of at least 2. So far we have seen that there are points on curves such that there is a unique line through the point with intersection multiplicity greater than one and that there are points for which every line through the point has intersection multiplicity greater than one. It would be natural to expect that with a little bit of work, we could find a point for which there were lines of intersection multiplicity one and other lines of intersection multiplicity greater than one. Somewhat surprisingly, this cannot happen.
Rings and Polynomials 397
To see why, let f (x, y) ∈ F [x, y] have degree m, (a, b) ∈ V (f ), and once again consider f (a +ct , b +dt ) as a polynomial in t . We know that the constant term is zero, so that we have the factor t . We will have a factor of t 2 if and only if the coefficient of t is zero. Let f (a + ct , b + dt ) = t 2 g (t ) + h(c, d) t . Since we are wondering if there could be particular choices of c and d so that the coefficient of t is zero, we consider the coefficient of t as a polynomial in c and d. To see how we obtain terms in t , consider any monomial cij x i y j of f (x, y). Under parametric substitution this becomes cij (a + ct )i (b + dt )j . To get a term from this product that is linear in t , we must select the scalar (field element) from all the brackets except one and select ct or dt , as appropriate, from the remaining bracket. This yields a term of the form cij a i−1 b j ct
or
cij a i b j−1 dt
for some cij , ∈ F . Since deg(f ) = m, we have for some ci ∈ F , f (a + ct , b + dt ) = cm t m + cm−1 t m−1 + · · · + (γ c + δd) t so that the coefficient of t in f (a + ct , b + dt ) is of the form γ c + δd for some γ , δ ∈ F . Thus we find a point with intersection multiplicity greater than one if and only if γ c + δd = 0. This happens if and only if one of the following two cases holds: Case (i) γ = δ = 0. Then for all choices of c and d (that is, for all lines L through P), L meets C at P with intersection multiplicity at least 2. Case (ii) γ = 0 or δ = 0. Without loss of generality, we can assume that γ = 0. Then, c = −γ −1 δd and all solutions are of the form (c, d) = (−γ −1 δd, d) = d(−γ −1 δ, 1).
398 Introduction to Applied Algebraic Systems
It follows that the only line through (a, b) yielding multiple solutions is the line determined by the pair (−γ −1 δ, 1). Therefore, in this case, there exists a unique line statisfying γ c + δd = 0 and therefore a unique line with intersection multiplicity at least 2. For different values of d, these solutions all determine the same line in parametric form (5.26). (Note that d = 0, since d = 0 would imply that c = 0, but we cannot have both c and d equal to zero since the equations x = a + ct , y = b + dt would no longer define a line.) Thus either all lines through the point P have intersection multiplicity at least two or else there exists a unique line through P with intersection multiplicity at least two. We have therefore established the following remarkable result. Theorem 5.9.1 Let P be a point on the curve C : f (x, y) = 0 where f (x, y) ∈ F [x, y]. Then exactly one of the following situations must prevail: (i) There exists a unique line through P that intersects C with intersection multiplicity at least 2. (ii) Every line through P meets C with intersection multiplicity at least 2. We can therefore make the following definition: The tangent (line) to C at the point P is the unique line through P with intersection multiplicity at least two if such a unique line exists. In the light of the discussion in this section, it is also reasonable to identify how bad the bad points are on a curve. So we say that a point P on a curve C is a double point if every line through P has intersection multiplicity at least two and at least one line intersects C at P with intersection multiplicity exactly 2. We define triple and quadruple points, and so on, in a similar manner. We refer to this as the multiplicity of intersection of C at P. Exercises 5.9 1. Determine the intersection multiplicity for lines at each point where the curve in Exercise 13 (ii) in section 5.5 crosses the x-axis. 2. Determine the intersection multiplicity for lines at each point where the curve in Exercise 14 (ii) in section 5.5 crosses the x-axis. 3. Determine the intersection multiplicity for lines at each point where the curve in Exercise 15 (ii) in section 5.5 crosses the x-axis. Also determine the intersection multiplicity at the point (5, 8). 4. Find the equation of the tangent (in implicit and parametric form) at the point (4, 6) on the curve y 2 − x(x − 1)2 = 0.
Rings and Polynomials 399
5.10 Singular and Nonsingular Points
In light of our discussion on intersection multiplicities in the previous section, the following definition now makes sense. We define a point P on the curve f (x, y) = 0 to be singular if every line through P has intersection multiplicity at least two and to be nonsingular if there exists a unique line through P with intersection multiplicity at least two. We say that the curve C : f (x, y) = 0 is singular if it contains a singular point, and it is nonsingular if it has no singular points. Our goal in this section is to develop a simple test for singularity/nonsingularity. The test that we are about to develop depends on the idea of formal (partial) differentiation. The idea can be applied to polynomials in an arbitrary number of variables but, to keep the notation simple, we will just work with two variables. For any monomial m = m(x, y) = aαβ x α y β ∈ F [x, y] we define the partial derivative of m with respect to x to be ∂m = αaαβ x α−1 y β . ∂x Of course, ∂m ∂y is defined similarly. We then extend the definition to an arbitrary polynomial f = f (x, y) =
aαβ x α y β
by ∂f = αaαβ x α−1 y β . ∂x This “formal” partial differentiation satisfies some familiar rules: The product rule :
∂g ∂f ∂ (fg ) = f + g ∂x ∂x ∂x
The modified chain rule :
∂f ∂x ∂f ∂y ∂ f (x(t ), y(t )) = · + · . ∂t ∂x ∂t ∂y ∂t
400 Introduction to Applied Algebraic Systems
The verification of the first of these rules reduces to the rule for the product of monomials. Let f = ax α y β ,
g = bx γ y δ .
Then f
$ ∂g % ∂x
+
$ ∂f % ∂x
g = ax α y β · bγ x γ −1 y δ + aαx α−1 y β · bx γ y δ = (α + γ ) abx α+γ −1 y β+δ
whereas ∂ ∂(fg ) = (abx α+γ y β+δ ) ∂x ∂x = (α + γ ) abx α+γ −1 y β+δ . Thus, ∂g ∂f ∂(fg ) =f + g. ∂x ∂x ∂x We leave the remainder of the proofs of the product rule and modified chain rule as exercises for you. Theorem 5.10.1 Let f (x, y) ∈ F [x, y] and P = (a, b) be a point on the curve C : f (x, y) = 0. Then P is a singularity if and only if ∂f ∂f = =0 ∂x ∂y at the point P. Proof. Consider the intersection of the line L given by the parametric equations x = a + ct y = b + dt with C. The points of intersection are given by f (a + ct , b + dt ) = 0
Rings and Polynomials 401
where, of course, one solution is t = 0. Thus, f (a + ct , b + dt ) is a polynomial in t with zero as the constant term: f (a + ct , b + dt ) = cm t m + cm−1 t m−1 + · · · + c1 t . Note that a and b are fixed by the point P so that we consider the coefficients ci as polynomials in c and d—that is, as elements of F [c, d]. Thus, the intersection multiplicity at P is greater than one—that is, P is a singular point if and only if c1 , as a linear polynomial in c and d, is identically zero. The key here is to notice that we can isolate c1 by differentiating f (a + ct , b + ct ) with respect to t , which yields ∂ f (a + ct , b + dt ) = mcm t m−1 + · · · + 2c2 t + c1 ∂t and then evaluating at t = 0: ∂ f (a + ct , b + dt ) = c1 . t =0 ∂t From the modified chain rule, we deduce c1 =
∂f ∂f c+ d ∂x ∂y
(5.28)
where the partial derivatives are evaluated at P. Since we are considering c and d as variables, equation (5.28) describes c1 as an element of F [c, d]. Thus we have (evaluating partial derivatives at P) P is singular ⇐⇒ c1 is the zero polynomial in c and d ∂f ∂f ⇐⇒ c+ d is the zero polynomial in c and d ∂x t =0 ∂y t =0 ∂f ∂f ⇐⇒ =0= . ∂x P ∂y P Corollary 5.10.2 Let f (x, y) ∈ F [x, y] and C be the curve defined by f (x, y) = 0. Then C is nonsingular if and only if there is no point P ∈ C with ∂f ∂f = = 0. ∂x P ∂y P Consider f (x, y) = y 2 + x 3 − x 5 and the curve C : f (x, y) = 0. Then any singular point on C must satisfy the equations f (x, y) = 0,
∂f =0 ∂x
and
∂f = 0, ∂y
402 Introduction to Applied Algebraic Systems
That is, y2 + x3 − x5 = 0 3x 2 − 5x 4 = 0 2y = 0. These equations imply y = 0,
x 3 (1 − x 2 ) = 0,
x 2 (3 − 5x 2 ) = 0.
The only common solution is the point O = (0, 0). Thus, C has a unique singularity at the origin. Exercises 5.10 1. Show that the following curves in R2 have no singular points: (i) (ii) (iii) (iv)
Circle. Ellipse. Parabola. Hyperbola.
2. Find the singular points of the curve C : x 3 + xy + y 3 = 0 in R2 . 3. Find the singular points of the curve C : x 2 (x − 1)2 + y 2 (y − 2)2 = 0 in R2 . 4. Find the singular points of the curve C : x 2 (x − 2)2 + y(y − a)2 = 0 in R2 . 5. Find the singular points of the curve in R2 defined by the polynomial y 2 − x(x 2 − 3x + 2). 6. Find the singular points of the curve in R2 defined by the polynomial y 2 − x(x 2 − 2x + 1). 7. Find the singular points of the curve in R2 defined by the polynomial y 2 − (x − 1)3 . 8. Show that the curve C : (1 + x 2 )2 + y 2 = 0 has no singularity in R2 but does have singularities in C2 . 9. Show that the curve C : (1 + x 2 )2 + y 2 (y + 1) = 0 has no singularity in R2 but does have singularities in C2 . 10. Show that the curve C : x 2 (1 + x 2 )2 + y 2 = 0 has a singularity in R2 and additional singularities in C2 .
6 Elliptic Curves
Although elliptic curves have been studied for many decades and a wealth of information was gained about them, it is only relatively recently that they have gained a certain level of “notoriety”. This has been the result of the application of the theory of elliptic curves to such things as Fermat’s Last Theorem, cryptography, and integer factorization. In this chapter we develop some basic properties of elliptic curves, particularly the group structure on an elliptic curve. There are other situations, and also simpler situations, when it is possible to define an algebraic structure on a set of solutions to an equation. One simpler example where one is dealing exclusively with integer solutions occurs in the study of Pell’s Equation. This is treated in section 7.7, but you are welcome to digress to that section at this stage, if you wish to do so. To understand the critical intersection properties of elliptic curves, it is necessary to consider them in projective space. For this reason, we devote some time to introducing and working with projective spaces and, in particular, the projective plane.
6.1 Elliptic Curves
We define an elliptic curve to be a nonsingular curve E : f (x, y) = 0 where f (x, y) has the form f (x, y) = y 2 − (x 3 + ax + b) ∈ F [x, y] 403
404 Introduction to Applied Algebraic Systems
and char F = 2, 3. See section 7.5 for some further comments regarding this form of the equation. Over fields of characteristic 2 or 3, the concept of an elliptic curve can be captured by more general equations. In the discussion to follow we will depart from our usual practice of denoting the inverse of a nonzero element b in an arbitrary field by b −1 and will write ab sometimes for ab −1 . The fractional notation can be more convenient and intuitive. For a curve written in this form, we define the discriminant to be the expression = 4a 3 + 27b 2 . Theorem 6.1.1 The curve E : f (x, y) = 0 where f (x, y) = y 2 −(x 3 +ax +b) ∈ F [x, y], and char F = 2, 3, is singular if and only if = 4a 3 + 27b 2 = 0. Proof. By Corollary 5.10.2, E is singular if and only if there exists a solution to the equations f (x, y) = 0,
∂f = 0, ∂x
∂f = 0. ∂y
That is, y 2 − (x 3 + ax + b) = 0
(6.1)
3x 2 + a = 0
(6.2)
2y = 0.
(6.3)
First assume that (x, y) is a solution. Then, since char F = 2, 3, y = 0,
x 3 + ax + b = 0,
a x2 = − . 3
(6.4)
From the third equality in (6.4), we have 3x 3 + ax = 0 which, when combined with the second equality in (6.4), yields b = 2x 3 . Combining this with the third equality in (6.4), we now obtain 4a 3 + 27b 2 = 4(−3x 2 )3 + 27(2x 3 )2 = 0.
(6.5)
Elliptic Curves 405
Conversely, now assume that = 0. Clearly, a = 0 if and only if b = 0. So this presents us with two cases to consider: Case (1) a = b = 0. Then f (x, y) = y 2 − x 3 and it is easily verified that there is a singularity at the origin (0, 0). Case (2) a = 0 = b. From = 0 we must have −
3b 2a 2 = . 2a 9b
So consider the point with coordinates x=−
3b 2a 2 = , 2a 9b
y = 0.
(6.6)
Equation (6.3) is immediately satisfied. Also, x2 = x . x = −
3b 2a 2 a · =− 2a 9b 3
and equation (6.2) is satisfied. Finally, x 3 + ax + b = x . x 2 + ax + b $ 3b % 2a 2 9b 2 · +b + a − 9b 4a 2 2a b 3 = − b+b 2 2 =0
=
= y2 so that (6.1) is satisfied. Thus, the point with coordinates as given in (6.6) is a singular point and the proof is complete. Note that in our proof there were times when we wanted to divide by 2 or by 3. For this reason, the criterion of Theorem 6.1.1 does not apply over fields of characteristic 2 or 3.
406 Introduction to Applied Algebraic Systems ... ... ... .. ... ... ... ... . ... . . ... ... ... ... ... ... ... . . ... ... ...................................................... ... ............ ... .......... ... ......... . . . . . . . . . . . . . . . ...... ... .... ..... ... ....... .. .. ....... ... ........................................................................................................................................................................................................................................................................................................................................................................................ . . . . . . . . .. . ... ..... ..... 1 2 ........ 3 ... ... .. .... ... ... .... ..... .... . .... . . . . . . . ..... . .. . .. . . . . . . . ...... ... .... ..... ....... ..... .... ........ .... ...... ........... ... ... ........ . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. ..
x
x
x
Figure 6.1
Let us see how the criterion of Theorem 6.1.1 applies to special cases. We continue to assume that we are working over a field of characteristic = 2, 3. Case a = b = 0. Then = 0 so that the curve E : y 2 = x 3 is singular. Case a = 0, b = 0. Then = 27b 2 = 0 and E : y 2 = x 3 + b is nonsingular. Case a = 0, b = 0. Then = 4a 3 = 0 and E : y 2 = x 3 + ax is nonsingular. Case F = R and a > 0. Then = 4a 3 + 27b 2 > 0. Therefore, E : y 2 = x 3 + ax + b is nonsingular. When working over an arbitrary field we don’t have any convenient way to graph a cubic curve. However, over R we can obtain a useful representation. So consider the curve E : y 2 = x 3 + ax + b over R. If we require that E be nonsingular, then 4a 3 + 27b 2 = 0. Coincidentally, by Proposition 5.7.1, this is exactly the condition required to ensure that the polynomial x 3 + ax + b has three distinct roots over C. Unfortunately, two of them might be complex. However, if we consider the case when the three distinct roots are real, then we can see what the graph of C must look like. First, the graph of y = x 3 + ax + b must cross the x-axis in three distinct points, as in Figure 6.1. Then x 3 + ax + b is nonnegative in the intervals x1 ≤ x ≤ x2 and x3 ≤ x. Thus, the points with real coordinates on the curve C will be given by y = ± x 3 + ax + b ,
x1 ≤ x ≤ x2 , x3 ≤ x.
So that the graph of C will be (roughly) of the form in the following diagram.
Elliptic Curves 407 ... ........ ... ........ ........ ... ........ . ... . . . . . . . .. ... ......... ... ........ ... ......... ... ....... . . . . ... . ..... ..................................................... ...... ................. ... ........... ...... .......... ........ ... .... . ....... . . . . . . . . . . . .... .... ... ... .... . ... ... ... .............................................................................................................................................................................................................................................................................................................................................................................. . ... ... . . ... .... ... ... ... ...... ... ... .... ........ ... ............... .... ........... ...... . . . . . . . . . . ................... ...... ................................................. ...... ... ...... ....... ... ......... ... ......... ... ......... ......... .... ........ ... ........ ... ........ ... ........ .
√ Note that for y = ± x 3 + ax + b , dy 3x 2 + a =± √ dx 2 x 3 + ax + b where the denominator is zero when x = x1 , x2 or x3 . Thus the “slope” of the curve at these points is vertical. Exercises 6.1 1. Show that the change of variables described here, when performed in succession, will transform the curve y 2 = px 3 + qx 2 + rx + s over F (where char (F ) = 3) to the form y 2 = x 3 + ax + b.
(i) Multiply by p 2 and substitute px → x py → y. (ii) Substitute 1 x→x− q 3 y → y.
(p = 0)
408 Introduction to Applied Algebraic Systems
2. For each of the following pairs of values of a and b, determine whether the curve y 2 = x 3 + ax + b over Q is singular or nonsingular. (i) (ii) (iii) (iv) (v) (vi)
a a a a a a
= 1, b = 1. = −1, b = 1. = −3, b = 2. = −2, b = 3. = −22 33 , b = 24 33 . = −22 33 m 2 , b = 24 33 m 3 , m ∈ N.
3. For each of the following pairs of values of a and b determine whether the curve y 2 = x 3 + ax + b over (a) Z5 and (b) Z7 is singular or nonsingular. (i) (ii) (iii) (iv) (v) ∗ 4.
a a a a a
= 0, = 2, = 3, = 1, = 2,
b b b b b
= 1. = 3. = 1. = 5. = 2.
Let F = GF(2n ), n ∈ N, and f (x, y) = y 2 − (x 3 + ax 2 + bx + c) ∈ F [x, y]. Establish the following: (i) Every element of F is a square—that is, for all α ∈ F , there exists x ∈ F with x 2 = α. (Hint: Use induction on n.) (ii) f (x, y) is singular.
5. Let F be an algebraically closed field of characteristic 3, f (x, y) = y 2 − (x 3 + ax + b) ∈ F [x, y], and E : f (x, y) = 0. Establish the following: (i) a = 0 ⇒ E is nonsingular. (ii) a = 0 ⇒ E has 3 singular points. 6. Let F be a field with char (F ) = 2 and let a ∈ F ∗ . Show that the polynomial f (x) = x 2 + a either has no roots in F or else it has two distinct roots. 7. Let F be a field with char (F ) = 3 and let a ∈ F ∗ . Show that the polynomial f (x) = x 3 + a cannot have two repeated roots in F .
6.2 Homogeneous Polynomials
We say that a polynomial f (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ] is a homogeneous polynomial (of degree m) if f (tx1 , tx2 , . . . , txn ) = t m f (x1 , x2 , . . . , xn ).
Elliptic Curves 409
For example, x 2 + xy + z 2 x 3 + x 2y + y 2z + z 3 are homogeneous polynomials of degrees 2 and 3, respectively, whereas x 2 + xy + z is not homogeneous. Thus, the polynomial f (x1 , . . . , xn ) is homogeneous if every monomial term has the same degree. The zero set of a homogeneous polynomial has one very important property. It is closed under scalar multiplication. Lemma 6.2.1 Let f (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ] be a homogeneous polynomial. Then (a1 , . . . , an ) ∈ V (f ), t ∈ F =⇒ (ta1 , . . . , tan ) ∈ V (f ). In particular, (0, 0, . . . , 0) ∈ V (f ). Proof. Let f be homogeneous of degree m. Then f (tx1 , . . . , txn ) = t m f (x1 , . . . , xn ). Hence, (a1 , . . . , an ) ∈ V (f ), t ∈ F =⇒ t m f (a1 , . . . , an ) = 0 =⇒ f (ta1 , . . . , tan ) = 0 =⇒ (ta1 , . . . , tan ) ∈ V (f ).
There is an easy way to “homogenize” any polynomial. Let f (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ] have degree m. Let z denote another variable. We define f h (x1 , x2 , . . . , xn , z) = z m f
$x
x2 xn % ,..., . z z z 1
,
Then f h (x1 , x2 , . . . , xn , z) will be a homogeneous polynomial in F [x1 , . . . , xn , z] of degree m. For example, if f (x, y) = x 3 y 2 + xy + 1
410 Introduction to Applied Algebraic Systems
then f h (x, y, z) = x 3 y 2 + xyz 3 + z 5 whereas if f (x1 , x2 , x3 ) = x12 x23 x3 + x22 + x2 x32 + x36 then f h (x1 , x2 , x3 , z) = x12 x23 x3 + x22 z 4 + x2 x32 z 3 + x36 . Note that if f is already homogeneous, then f h = f . For example, if f (x, y) = x 2 + xy + y 2 , then f h (x, y, z) = z 2
$$ x %2
+
$ x %$ y %
z z 2 = x + xy + y
z
+
$ y %2 % z
2
= f (x, y). The polynomial f h (x1 , x2 , . . . , xn , z) is called the homogenization of f (x1 , . . . , xn ). Note that f h (x1 , . . . , xn , 1) = f (x1 , . . . , xn ). It comes as no great surprise that there is a close connection between V (f (x1 , . . . , xn )) and V (f h (x1 , . . . , xn , z)), which we now elaborate on in the next lemma. Lemma 6.2.2 Let f (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ] be of degree m. Define ϕh : F n → F n+1 by ϕh (a1 , . . . , an ) = (a1 , . . . , an , 1). Let V (f h )∗ = {(a1 , . . . , an , b) ∈ V (f h ) | b = 0}. Define ϕr : V (f h )∗ → F n by ϕr (a1 , . . . , an , b) = (a1 b −1 , . . . , an b −1 ). (i) ϕh is injective and ϕh (V (f )) ⊆ V (f h ). (ii) ϕr (V (f h )∗ ) = V (f ).
Elliptic Curves 411
(iii) ϕr induces the relation ∼ on V (f h )∗ where (a1 , . . . , an , b) ∼ (c1 , . . . , cn , d) ⇐⇒ ∃ λ ∈ F ∗ with (c1 , . . . , cn , d) = λ(a1 , . . . , an , b). Proof. (i) Clearly, ϕh is an injective mapping. For any (a1 , . . . , an ) ∈ V (f ), f h (a1 , . . . , an , 1) = f (a1 , . . . , an ) = 0. Thus, ϕh maps V (f ) into V (f h )∗ . (ii) Let (a1 , . . . , an , b) ∈ V (f h )∗ . Then b ∈ F ∗ and f ϕr (a1 , . . . , an , b) = f (a1 b −1 , . . . , an b −1 ) = b −m (b m f (a1 b −1 , . . . , an b −1 )) = b −m f h (a1 , . . . , an , b) = b −m · 0 = 0. Therefore, ϕr maps V (f h )∗ to V (f ). For any (a1 , . . . , an ) ∈ V (f ), we have by part (i) (a1 , . . . , an , 1) = ϕh (a1 , . . . , an ) ∈ V (f h )∗ and ϕr (a1 , . . . , an , 1) = (a1 , . . . , an ). Thus, ϕr is surjective. (iii) Let (a1 , . . . , an , b), (c1 , . . . , cn , d) ∈ V (f h )∗ . Then (a1 , . . . , an , b) ∼ (c1 , . . . , cn , d) =⇒∃ λ ∈ F ∗ with (c1 , . . . , cn , d) = λ(a1 , . . . , an , b) =⇒ ϕr (c1 , . . . , cn , d) = (λa1 (λb)−1 , . . . , λan (λb)−1 ) = (a1 b −1 , . . . , an b −1 ) = ϕr (a1 , . . . , an , b). Conversely, ϕr (a1 , . . . , an , b) = ϕr (c1 , . . . , cn , d) ⇒ (a1 b −1 , . . . , an b −1 ) = (c1 d −1 , . . . , cn d −1 )
412 Introduction to Applied Algebraic Systems
⇒ ai b −1 = ci d −1 ⇒ ci = (db
−1
)ai
i = 1, . . . , n i = 1, . . . , n
⇒ (a1 , . . . , an , b) ∼ (c1 , . . . , cn , d). Example 6.2.3 Let f (x, y) = x 2 + y 2 − 1 ∈ R[x, y]. The following diagrams illustrate the relationships between V (f ), V (f h ) and ϕh (V (f )). Note that f h (x, y, z) = x 2 + y 2 − z 2 . In particular, we see that V (f h ) is much “bigger” than either V (f ) or ϕh (V (f )) and that ϕh (V (f )) ⊆ V (f h ). Figure 6.2 illustrates the mapping ϕh . Figure 6.3 illustrates V (f ), V (f h ) and ϕh (V (f )). Figure 6.4 illustrates the mapping ϕr .
Exercises 6.2 1. (i) Find an example of a polynomial f ∈ R[x, y] such that V (f ) is not closed under scalar multiplication (of vectors). (ii) Find an example of a homogeneous polynomial f ∈ R[x, y] such that V (f ) is not closed under addition (of vectors). ..6z .. .. ...... ... ........................................................................ . . . . . . . . . . ..... . .. .. ...... .................................................................................... ...... .. .. . ... .. . . . . . . . . . .. ..... .. .. .... ... ... ... ... ... ... ... .. .. .. ...... ..... ............ .... ... ... .............. . . . . . . . . . . . ............................................. ... ... ... ......................................................z. = 1 ) ... ... .. .. .. . .. ..... .. . . . . . . . . . . . . . . . . . .. . . . .. .. ... . . . . . ..................................................................................................................................................6 .............. ...... . .. .. .. .. .. ...... ... ... .... ϕ . ... .. . .. . h ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ............................................................................................................................................................. x 0........ .. . . . . . ...... ...... . . . . ...... ...... . . . . ...... ...... . . . . ...... ...... . . . . .. y Figure 6.2
Elliptic Curves 413
.. z ..6 .. .................... . . . . . . . . . . . . . . ............ . ............... ... ........... . .. ... ............. ................. .. .. ... ................................................ ... . 2 2 2 . . x +y −z =0 ... ... ... ... .. ... ....... .. .. . .... ... ... .. .. ... ..... ............................ .. .. . . . . . . . . . . . . . . . . . V (f h ) . . . . ϕh (V (f )) . . . . . . . . . . . .. ..................................... ................................... .. ................ .................... .. .. ..... .... .... ... Y . ... ... .. .. ... .. .. ........................................................ x 2 + y 2 − 1 = 0 ......... ... ... . .. .. ..... z =1 ..... .... ... .. . . . . . . . . . . R3 in . . . . . . . . . . . . . . . . . . . . . . . . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ................. ... ...................................................................................................................................................... . . . x ............0..................................... .. ...... .... ..... ... Y................................................ .............. ............... ...... .... ... ... ... ..... . . . . ....... .... .... .. .. ... .... . . . . .... . .. .. ... ... . . . x2 + y2 − 1 = 0 . . . .... ... .... ... ..... ... ..... ... ......... .... . . . . . . . . .. .. . in R2 ... .................................................. ..... ...... . . . . . . . ...... ........................................................................... ......y ......... .. . ......................... ... ........................... ................ .. .. .. . Figure 6.3
..6z .. .. . ................................................................... . . . . . . . . . . . .. . . ...... .. ........................... .. ............................... .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... .... .. ...... ... ... ... .... ... ........ ... ... ...... .. ....j .. .. ..... ........... ... .. . ......... ...... . . . . . . . .. ................................................... .. . . .. ϕr .... ..... .... ... .. ..... .... . . . ... ... .. . .. . ... ... .. ... .... .. .. ... ...... . ... .. . .. .. . .. ... ... ...... .... ... .. . .. .... ......... ............. ... . . . . . . . ..? . . . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ................ ... ... .......................................................? ...........0................................. ................................................................................................................ x . . . . . . . ...... .. . .... ... ...... .... ... ... .... ..... . . . . ...... .... .. .... .... ..... . . . . . ...... . . . . ........ ......... .......... ......... ... ........ .... . . . . . . . ... . .. .. ...... ...... .. ......................................................... ..... ...... . . . . . . . .... ................................................................................... ..... .. .. ..... y ......... . . .... .................... ..................................................... .. .. .. .. .. Figure 6.4
414 Introduction to Applied Algebraic Systems
2. Show that the mapping H : f →fh
(f ∈ F [x1 , . . . , xn ])
respects multiplication of polynomials, but not addition—that is, (fg )h = f h g h , but, in general, (f + g )h = f h + g h . ∗ 3.
Let f , p, q ∈ F [x1 , . . . , xn ] and f = pq. Show that f is homogeneous if and only if p and q are both homogeneous.
∗ 4.
Let f ∈ F [x1 , . . . , xn ]. Show that f is irreducible if and only if f h is irreducible.
∗ 5.
Let F be an algebraically closed field and f ∈ F [x1 , . . . , xn ]. Show that V (f ) is irreducible if and only if V (f h ) is irreducible.
6. Let f (x, y) = y 2 − x + 1 ∈ R[x, y]. (i) Graph V (f ). (ii) Graph V (f h ). (iii) Identify ϕh (V (f )) in V (f h ). 7. Let f (x, y) = y 2 − (x − 1)3 ∈ R[x, y]. (i) Graph V (f ). (ii) Graph V (f h ). (iii) Identify ϕh (V (f )) in V (f h ). 6.3 Projective Space
The observations in the previous section, especially Lemma 6.2.1 and Lemma 6.2.2 (iii), lead us to consider the following relation ∼ on F n+1 \{(0, 0, . . . , 0)}: (a1 , . . . , an+1 ) ∼ (b1 , . . . , bn+1 ) ⇐⇒ ∃ t ∈ F ∗ such that (b1 , . . . , bn+1 ) = t (a1 , . . . , an+1 ) = (ta1 , . . . , tan+1 ). It is very easy to see that ∼ is an equivalence relation. We define the ndimensional projective space over F to be Pn (F ) = (F n+1 \{0})/ ∼
that is, the set of ∼ classes. We call P2 (F ) the projective plane (over F ). Let us denote by [a1 , . . . , an+1 ] the ∼ class containing (a1 , . . . , an+1 ). For P2 (R), there is a nice geometric interpretation. For any point P = (a, b, c) ∈ R3 , P = (0, 0, 0), the line through the origin and P consists of the
Elliptic Curves 415
.... z ...6 .... . . . . [s,t,1] .... .. .... .. .... .... .. .......... .. .... ... . . [a,b,1] . . . . .. .. .. ..... .. .. ...... ...... . . .. ......... . . . . . . . .. Plane ... (a,b,1).....r.... ..... ... ....r ... ..r ... (s,t,1).... z=1 .. .. . . . . ...................... ............................... ... .. .. ... . (0,0,1)... . . . ................... ........................ . ... .. .. .. .... ... . .q ..................................................................................................................................................... .... .. ... ...... .... .. .......... .. .. .. ... .................................................................................................................................................................................................................................................................................... x . . . ........ .... ...... . . . . . . ...... ... .. ... ..... ..... .... ...... . . . . .... .. ...... ..... .... .. . ...... . . . . . .... . . .. .. .... . . . .... . . . . . . . . . . . .. .... .... .. . . . . . . .... . .. .. .... . . . .... . . . . . .. . y Figure 6.5
set of points {t (a, b, c) | (t ∈ R}. However, this is just [a, b, c] ∪ {(0, 0, 0)}. Thus we can consider any element [a, b, c] ∈ P2 (R) as a ray or line through the origin and the point (a, b, c) with the origin deleted. More generally, we define the line through the origin and the point (a1 , . . . , an+1 ) ∈ F n+1 to be the set of points {t (a1 , . . . , an+1 ) | t ∈ F }. In this way we can view the elements of Pn (F ) as lines in F n+1 through the origin (but with the origin deleted). Now ϕh (F n ) = {(a1 , . . . , an , 1) | ai ∈ F } so that each point in ϕh (F n ) determines a unique point [a1 , . . . , an , 1] in P2 (F ). Thus, we have an injective mapping ϕP : F n → Pn (F ) defined by ϕP (a1 , . . . , an ) = [a1 , . . . , an , 1].
416 Introduction to Applied Algebraic Systems
We can represent these mappings and structures digrammatically as follows: ϕh F n ...r.......................................................................................................................................r F (n+1) ... .. ... ... ... ... ... . . ... .. .. ... ... ... .. ... . ....... .......... ...... P ........ ... . ... . ... ... ... .. ... ... . ... . ... ... ... ... ...... ..
ϕ
r
F (n+1) /∼
= P n (F )
In other words, ϕP is just the composition of the mapping (a1 , . . . , an+1 ) −→ [a1 , . . . , an+1 ] of F n+1 to F n+1 / ∼ with the mapping ϕh . Now, for any [a1 , . . . , an , b] ∈ Pn (F ) with b = 0, we have [a1 , . . . , an , b] = [a1 b −1 , . . . , an b −1 , 1] so that ϕP (F n ) = {[a1 , . . . , an , 1] | ai ∈ F } = {[a1 , . . . , an , an+1 ] | ai ∈ F , an+1 = 0}. It is sometimes convenient simply to identify F n with ϕP (F n ). So, if ϕP (F n ) contains all the points of the form [a1 , . . . , an , an+1 ], an+1 = 0, what is new when we pass from F n to Pn (F )? The answer is: all the points of the form [a1 , . . . , an , 0]. These are the points in projective space corresponding to the lines through the origin that lie in the “hyperplane” defined by z = 0. We define the elements of the form [a1 , . . . , an , 0] to be points at infinity. Note that the elements in the class [a1 , . . . , an , 0] are precisely the elements in the plane z = 0 lying on the line through the points (a1 , . . . , an , 0) and the origin. We will get a better intuitive feeling for this and how the points with z = 0 relate to the points with z = 0 when we consider some examples. Projective spaces provide an interesting perspective on homogeneous polynomials. Lemma 6.3.1 Let h(x1 , . . . , xn+1 ) ∈ F [x1 , . . . , xn+1 ] be a homogeneous polynomial in x1 , . . . , xn+1 . Then V (h) is a union of ∼ classes, together with (0, . . . , 0). Proof. Let (a1 , . . . , an+1 ) ∈ V (h). By Lemma 6.2.1, t (a1 , . . . , an+1 ) ∈ V (h) for all t ∈ F ∗ . Thus, [a1 , . . . , an+1 ] ⊆ V (h) and V (h) (excluding the origin) is a union of ∼ classes. Also, (0, . . . , 0) ∈ V (h) for any homogeneous polynomial h.
Elliptic Curves 417
This makes it reasonable to define [a1 , . . . , an+1 ] to be a zero of the (homogeneous) polynomial h(x1 , . . . , xn+1 ) if h(a1 , . . . , an+1 ) = 0 and then we write [a1 , . . . , an+1 ] ∈ V (h). It further suggests that projective space might be a good context in which to study homogeneous polynomials. In particular, Lemma 6.3.1 makes it possible for us to adopt the following conventions. We refer to the elements of P2 (F ) as points. For any elements a, b, c ∈ F , not all zero, we call the set {[x, y, z] ∈ P2 (F ) : ax + by + cz = 0} a projective line in P2 (F ). With respect to these definitions of points and lines, P2 (F ) then becomes a projective geometry. This aspect will be explored in the exercises. Note that, in F 3 , V (ax + by + cz) consists of all points on a plane passing through the origin. Thus, the points on the projective line defined by the equation ax + by + cz = 0 are precisely the lines passing through the origin (less the origin) that lie in the plane in F 2 defined by the same equation ax + by + cz = 0. It is then customary to refer to the “line” ax + by + cz = 0 in P2 (F ). A particularly important instance of this is when we take a = b = 0, c = 1, which leads to the “line” z = 0. However, the points [x, y, z] ∈ P2 (F ) with z = 0 are precisely the points at infinity. Thus we have the situation where the points at infinity constitute a line in the projective plane P2 (F ). We saw earlier that, for any f ∈ F [x1 , . . . , xn ], we must expect that V (f h ) will be significantly larger than V (f ) or ϕh (V (f )). However, if we work in Pn (F ) instead of F n+1 , then the situation is quite different. Consider Example 6.2.3 again. There we see that for each point [a, b, c] ∈ V (x 2 + y 2 − z 2 ), since (a, b, c) = (0, 0, 0) we must have c = 0 so that [a, b, c] = [ac −1 , bc −1 , 1]
where
(ac −1 , bc −1 ) ∈ V (x 2 + y 2 − 1)
= ϕP (ac −1 , bc −1 ) ∈ ϕP (V (f )). Thus, in P2 (R), V (f h ) = V (x 2 + y 2 − z 2 ) ⊆ ϕP (V (f )). On the other hand, (a, b) ∈ V (f ) =⇒ (a, b, 1) ∈ V (f h ) =⇒ [a, b, 1] ∈ V (f h ).
418 Introduction to Applied Algebraic Systems
Thus, ϕP (V (f )) ⊆ V (f h ) and we have equality ϕP (V (f )) = V (f h ). We could express this by saying that in projective space V (f ) and V (f h ) come together. Note that there is no solution in this example of the form [∗, ∗, 0], since (a, b, 0) ∈ V (f h ) forces a = b = 0 and [0, 0, 0] is not an element of P2 (R). However, life is not always quite that simple. Indeed, if that were always the case, then there would be a good deal less interest in pursuing the added complication of P2 (F ) over F n . Example 6.3.2 Let f (x, y) = x + y − 1 ∈ R[x, y]. Then f (x, y) = 0 is just the equation of a line and f h (x, y, z) = x + y − z. (1) V (f h ) is the plane in R3 passing through the origin and containing the line x + y − 1 = 0, z = 1. (2) ϕh (V (f )) is exactly the line x + y − 1 = 0, z = 1 (see Fig. 6.6). (3) V (f h ) ⊇ ϕP (V (f )) = {[a, b, 1] | (a, b) ∈ V (f )}. This captures all points (a, b, c) ∈ V (f h ) with c = 0. However, (x, y, 0) ∈ V (f h ) ⇐⇒ x + y = 0. Thus, V (f h ) also contains the line x + y = 0,
z =0
or the point [1, −1, 0] in P2 (R) (see Fig. 6.6). In other words, V (f h ) contains one extra point in P2 (F ) in this case. One way to visualize the introduction of the point [1, −1, 0] is as the result of a limiting process. We can describe the result of lifting the line x + y − 1 = 0 into R3 either by the equations x + y − 1 = 0,
z =1
Elliptic Curves 419
or in parametric form x =1−t,
y=t,
z = 1.
When we transform these points into P2 (R), they assume the form 1 1 [1 − t , t , 1] = [1 − , −1, − ] t t → [1, −1, 0] as t → ∞ (see Fig. 6.6). Thus we can view the point [1, −1, 0] as arising from the process of taking the limit of a sequence of points in ϕP (V (f )). In fact, this is no accident and is not an isolated situation. It is, for that reason, that a deeper study of polynomials and their associated varieties requires a mixture of both algebraic and analytical techniques. Intuitively, we think of the point [1, −1, 0] as being added to our initial line x + y − 1 = 0,
z =1
at “infinity.” The only problem, when trying to visualize it, is that it is added at both “ends” of our line. So perhaps we have to view the line as being closed into a big infinite loop. .... .... .... ... ...[a, b, 1] ...6z ... .... .... ... ... ... .. . . . . ... . ... ... ... . .. ... ... ... ... .. ....... ....... . ..... .. ... . ... ....r... ...r .... . ...... z = 1 . . . . . . ....... ... ........ ...(a, b, 1) .. . .... . . ........... .... ... ... ... ......r. . .. .......... .... .... ...... ... ... .. ... ..... . . . . . = . ....... ... ..r...... .... .... ... . .... ... .. ... ... ... .. .. .... ......................... . ... ... ... .... ... ... . . . . . . . . . . . . . . ....... . .... ... .. ... ... ... .. . .... .... .... ... .................................................................................r................................................. ... ... ... ................ .... ... .. . ... ... ... .. . . . . . . ... ... ... ........ ... . . . . . . . ................ x +y −1 = 0 ... ... ... .......... .. .. .... ........... . ......... ...... . ... z=1 3 ...... ..... .... ......r.......... in R ......... ... ................ ................ .......... ..... x ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ......................................................... .....r................................................................................ ................ ... .... ................. ................ . . ................ ... .. ........... ... ... ... .................. . . . . . . x +y −1 = 0 . . . . . .. ... .... ...... . .. .... .... ... . in R2 . . . .. . ... .... .. . . . . . .... .. .. ... .. ... . . . . .. .. . y Figure 6.6
420 Introduction to Applied Algebraic Systems
When we homogenized a circle, we obtained no extra points in V (f h ). When we homogenized a line, we obtained one extra point. It is possible to have more. Let 1 f (x, y) = x 2 − y 2 − 1 ∈ R[x, y]. 4 Then f (x, y) = 0 is the equation of a hyperbola, and 1 f h (x, y, z) = x 2 − y 2 − z 2 . 4 For the solutions with z = 0, we have ϕP (V (f )) = {[a, b, 1] | (a, b) ∈ V (f )}. However, when z = 0 we obtain additional solutions from 1 2 x − y2 = 0 4 namely, 1 x − y = 0, 2
1 x + y = 0. 2
These provide two additional points in P2 (R): [2, 1, 0]
and
[2, −1, 0].
This process is illustrated in Figure 6.7. It is important to note that in these examples, the extra points added were points at infinity. As we now see, this is the only way that new points can be introduced. Proposition 6.3.3 Let f ∈ F [x1 , . . . , xn ]. Then ϕP (V (f )) = {[a1 , . . . , an+1 ] ∈ V (f h ) | an+1 = 0}. Proof. Let us denote the set on the right by S. Then (a1 , . . . , an ) ∈ V (f ) =⇒ ϕP (a1 , . . . , an ) = [a1 , . . . , an , 1] ∈ V (f h ). Hence, ϕP (V (f )) ⊆ S .
Elliptic Curves 421
.. z ..6 .. .. .. .. . ........... ... .. . . ........... . .. ........... .. ... ....................... . . ..................... .. .. ...................... ... . . . . . . . . . . . . . . . . . x −2y = 0 . . . . . . . . 1 2 ...................... 2 .. ... ... ........................ ..... 4 x −y −1 = 0 ............ . . . . . . . . . . . . . . .. ........... ... .. ......................................... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... ............ ... ........... .......... ... .r ..... .. ... ...................................................... ..... ... ... ... ... ... ... ... ... ............. ... ... ... ... .......... ... ............................................................................................................................................................................................................................... ....................r...................................... .. .... ................ ...... ..... . . . . . . . . . . . . . . . . . . . . . . . . . r . . . . . . . . ... ... ..... ........... ...... ... ... . . ....r. ........................................................................... ...................... ... ... ..... .... .... ....................... . . . . z =1 . . .............................. . . ...................... . . . . . . . ... . ..... .... ..... ...................... . . . . ..... . .... ...................... .. ... .. ... ..... ....................... ... .... ... .... ... ..... ........... . . . . . . . . ..... . ......... . . . . . . . .... .. .. .. . ..... . ... ..... .... .... ... ... ..... . x +2y = 0 ...... ... ... ..... .... ... ... .... ..... . . . . ..... .... ... .. .. . ..... .... ... ... ... ... . ..... . . . . . . . .... .. .. .. ..... . .... ... ... ... ..... ... . ..... . . . . . . . . . . . .. ..... . ..... ...... ......... .... ... ..... .... .... ... . ..... ... ...... .. .... ..... ... ... .. .. ..... ....... . ..... ......... .. .. .... .................................................................................................................................................................................................................................................................................... . . .. x ... .... .... .......... . . . . . .. ..... .. .... ........... ... .. ... ... ... ... .... ... . .. . . . . .. . . ... ... . . ... y Figure 6.7
Conversely, [a1 , . . . , an+1 ] ∈ S =⇒ an+1 = 0 −1 −1 =⇒ [a1 , . . . , an+1 ] = [a1 an+1 , . . . , an an+1 , 1]
and, if m = deg(f ), −1 −1 −1 m −1 −1 f (a1 an+1 , . . . , an an+1 ) = (an+1 ) (an+1 )m f (a1 an+1 , . . . , an an+1 ) −1 m h ) f (a1 , . . . , an , an+1 ) = (an+1 −1 m = (an+1 ) ·0
= 0.
422 Introduction to Applied Algebraic Systems −1 −1 Therefore, (a1 an+1 , . . . , an an+1 ) ∈ V (f ) and
[a1 , . . . , an , an+1 ] ∈ ϕP (V (f )). Thus, S ⊆ ϕP (V (S)) and equality prevails.
Example 6.3.4 Let us consider what happens with an elliptic curve as we move from affine to projective space. Let f (x, y) = y 2 − (x 3 + ax + b) ∈ F [x, y]. Then f h (x, y, z) = y 2 z − (x 3 + axz 2 + bz 3 ) ∈ F [x, y, z]. By Proposition 6.3.3, V (f h ) = ϕP (V (f )) ∪ {[x, y, 0] | (x, y, 0) ∈ V (f h ), (x, y) = (0, 0)}. Now [x, y, 0] ∈ V (f h ) ⇐⇒ −x 3 = 0. Thus we have a triple point where x = 0. Since [0, y, 0] = [0, 1, 0] for all y ∈ F ∗ , we see that V (f h ) has exactly one new point at “infinity”—namely, [0, 1, 0]. It is also important to notice that the line z = 0 intersects V (f h ) in [0, 1, 0] with multiplicity 3. This means that z = 0 is the tangent to V (f h ) at [0, 1, 0] and also that the multiplicity of intersection is 3. We can confirm parametrically that the line at infinity (z = 0) is the unique line through the point [0, 1, 0] with multiplicity of intersection with V (f h ) greater than one. In other words, the line at infinity is the tangent to V (f h ) at the point [0, 1, 0]. A line in P2 (F ) consists of all the projective points contained in a plane W , say, through the origin in F 3 . A plane through the origin in F 3 is just a subspace of dimension 2 and is therefore spanned by any two independent vectors u = (x1 , y1 , z1 ), v = (x2 , y2 , x2 ) in W. Then the points of W are just the linear combinations su + tv = s(x1 , y1 , z1 ) + t (x2 , y2 , x2 ) = (sx1 + tx2 , sy1 + ty2 , sz1 + tz2 )
Elliptic Curves 423
of u and v, where s, t ∈ F . This yields the following parametric description of W : x = sx1 + tx2 y = sy1 + ty2 z = sz1 + tz2 in terms of the parameters s and t . Now, to ensure that W passes through the point [0, 1, 0] (equivalently, for W as a subspace of F 3 to contain the line [0, 1, 0]), we can choose (x1 , y1 , z1 ) = (0, 1, 0) so that the parametric equations become x = tx2 y = s + ty2 z = tz2 . Substituting these expressions into f h , we obtain f h (tx2 , s + ty2 , tz2 ) = (s + ty2 )2 tz2 − ((tx2 )3 + atx2 (tz2 )2 + b(tz2 )3 ) = t [(s + ty2 )2 z2 − t 2 (x23 + ax2 z22 + bz23 )]. We have a common factor t , as expected, corresponding to the point of intersection given by t = 0—namely, x = 0, y = s, z = 0 or the point [0, s, 0] = [0, 1, 0]. The only way that we can obtain a multiple factor t m with m > 1 from f h (tx2 , s + ty2 , tz2 ), remembering that we are considering f h (tx2 , s + ty2 , tz2 ) as a polynomial in s and t , is if z2 = 0, and then f h (tx2 , s + ty2 , tz2 ) = −t 3 x23 . Thus we obtain a unique line with intersection multiplicity greater than one when z2 = 0. However, that is precisely the case when all the points 0, (0, 1, 0) and (x2 , y2 , 0) lie in the plane z = 0 (in F 3 ) or the line z = 0 in P2 (F ). An important feature of the projective plane is that curves that did not intersect might intersect when homogenized. To see this, consider two parallel lines in R2 : x + y − 1 = 0,
x + y − 2 = 0.
Clearly, these do not intersect in R2 . Let f (x, y) = x + y − 1 ,
g (x, y) = x + y − 2.
424 Introduction to Applied Algebraic Systems
Then f h (x, y, z) = x + y − z ,
g h (x, y, z) = x + y − 2z.
In P2 (R), f h has solutions [t , 1 − t , 1]
and
[1, −1, 0]
and
[1, −1, 0].
whereas g h has solutions [t , 2 − t , 1]
Thus, f h = 0 and g h = 0 “intersect” in the point [1, −1, 0]. Now, by Lemma 6.2.2, the point [t , 1 − t , 1] in P2 (R) corresponds to the points (t , 1 − t ) in R2 whereas the point [t , 2 − t , 1] in P2 (R) corresponds to the points (t , 2 − t ) in R2 . Thus we could think of f h (x, y, z) = 0 and g h (x, y, z) = 0 as being lines in R2 but with a point [1, −1, 0] being added “at infinity” as their point of intersection. If we repeat this process with all lines in R2 , we arrive at a geometric interpretation of P2 (R) as being obtained from R2 by the adjunction of points at infinity—one point for each family of parallel lines or one point for each line through the origin. Further remarks: (1) When we extend a line L : a1 x + b1 y + c1 = 0 to the projective plane L h : a1 x + b1 y + c1 z = 0 we are adding to L a single point [−b1 , a1 , 0] “at infinity.” (2) When we extend an elliptic curve E : y 2 = x 3 + ax + b to the projective plane E h : y 2 z = x 3 + axz 2 + bz 3 we are also adding to E a single point [0, 1, 0] at infinity. When b1 = 0, L and E will intersect at the point [0, a1 , 0] = [0, 1, 0] “at infinity.”
Elliptic Curves 425
(3) An elliptic curve E is nonsingular and so there exists a tangent at every point on E in F 2 . In P2 (F ), we have one additional point [0, 1, 0]. Substituting z = 0 into E h : y 2 z = x 3 + axz 2 + bz 3 we obtain x 3 = 0. Thus, [0, 1, 0] is a triple point of intersection of the line z = 0 with E h . (4) Let P = (x1 , y1 ). Then the line in P2 (F ) through P = [x1 , y1 , 1] and [0, 1, 0] is x = x1 z which is the extension to P2 (F ) of the line x = x1 . Exercises 6.3 1. Show that ∼ does not respect +. 2. Let (x1 , y1 , z1 ), (x2 , y2 , z2 ) ∈ F 3 be such that (x1 , y1 , z1 ) = (0, 0, 0) = (x2 , y2 , z2 ) and x1 y2 = x2 y1 ,
x1 z2 = x2 z1 ,
y1 z2 = y2 z1 .
Show that [x1 , y1 , z1 ] = [x2 , y2 , z2 ]. 3. Let h = ax + by + cz ∈ F [x, y, z] and [x1 , y1 , z1 ] = [x2 , y2 , z2 ] in P2 [F ]. Show that (x1 , y1 , z1 ) ∈ V (h) ⇔ (x2 , y2 , z2 ) ∈ V (h). 4. Let f (x, y) = 14 x 2 − y 2 − 1 ∈ R[x, y]. (i) Using the point (2, 0) and the line x = 0, derive the following parametric representation for the hyperbola f (x, y) = 0: x=
2(1 + t 2 ) , t2 − 1
y=
2t . t2 − 1
(ii) The parameterization in (i) provides the following parameterization of ϕP (V (f )):
2(1 + t 2 ) 2t , 2 , 1 . t2 − 1 t −1
426 Introduction to Applied Algebraic Systems
Use this parameterization to derive the two points in V (f h ) that do not lie in ϕP (V (f )) as limits of points in ϕP (V (f )). ∗ 5.
Let f (x, y) = −x 2 +
y2 9
− 1 ∈ R[x, y].
(i) Show that in P2 (R), the difference between V (f h ) and ϕP (V (f )) consists of the two points [1, 3, 0] and [1, −3, 0]. (ii) Using the point (0, 3) and the line y = 0, derive the following parameterization for V (f ): x=
2t , 1 − t2
y=
3(t 2 + 1) . t2 − 1
(iii) Use the resulting parameterization
2t 3(t 2 + 1) , 1 , 1 − t2 t2 − 1
of ϕP (V (f )) to derive the points [1, 3, 0] and [1, −3, 0] as limits of points in ϕP (V (f )). 6. Let f (x, y) = y 2 − 2(x − 1) ∈ R[x, y]. (i) Show that in P2 (R), the difference between V (f h ) and ϕP (V (f )) is the single extra point [1, 0, 0]. (ii) Using the point (1, 0) and the line x = 0, derive the following parameterization for V (f ): x =1+
2 , t2
y=
2 . t
(iii) Use the resulting parameterization
2 2 1 + 2, − , 1 t t
of ϕP (V (f )) to derive the point [1, 0, 0] as a limit of points in ϕP (V (f )). 7. Let f (x, y) = y 2 − (x − 1)(x − 2)2 ∈ R[x, y]. (i) Show that in P2 (R), the difference between V (f h ) and ϕP (V (f )) is the single extra point [0, 1, 0]. (ii) Using the point (2, 0) and the line x = 1, derive the following parameterization of V (f ): x = 1 + t 2,
y = −t (t 2 − 1).
Elliptic Curves 427
(iii) Use the resulting parameterization [1 + t 2 , −t (t 2 − 1), 1] of ϕP (V (f )) to derive the point [0, 1, 0] as a limit of points in ϕP (V (f )). 8. Find the equation of the line (in homogeneous form) through each of the following pairs of points in P2 (F ): (i) (ii) (iii) (iv)
[1, 0, 1], [1, 2, 1]. [0, 1, 1], [2, 1, 2]. [2, −1, 1], [1, 1, 0]. [2, 1, 0], [1, 2, 0].
9. Show that all points “at infinity” in P2 (F ) lie on a single line.
6.4 Intersection of Lines and Curves
One of the big advantages of working in projective space over an algebraically closed field as opposed to affine space over an arbitrary field is that it regularizes the pattern of intersection between curves. Let f (x, y) ∈ F [x, y]. Then, C : f (x, y) = 0 is a line if a conic (or quadratic) if a cubic if
deg (f (x, y)) = 1 deg (f (x, y)) = 2 deg (f (x, y)) = 3, and so on.
We extend these definitions to P2 (F ). Let h(x, y, z) ∈ F [x, y, z] be a homogeneous polynomial. Then C = {[x, y, z] ∈ P2 (F ) | h(x, y, z) = 0} is a line if a conic if a cubic if
deg (h(x, y, z)) = 1 deg (h(x, y, z)) = 2 deg (h(x, y, z)) = 3.
In F 2 , a line L can intersect another line in zero or one point; it can intersect a conic in zero, one, or two points; and it can intersect a cubic in zero, one, two, or three points. However, adding the assumption that F is algebraically closed, working over projective space and counting multiplicities, the picture
428 Introduction to Applied Algebraic Systems
changes significantly. We consider the two cases that are most important for us later. Intersection of Two Lines. Consider two distinct lines L1 : a1 x + b1 y + c1 = 0 (a1 , b1 not both 0) L2 : a2 x + b2 y + c2 = 0 (a2 , b2 not both 0). In F 2 , L1 and L2 may have one point of intersection or no points of intersection. Now consider P2 (F ). There we have the homogenized forms L1h : a1 x + b1 y + c1 z = 0
(6.7)
L2h : a2 x + b2 y + c2 z = 0.
(6.8)
Without loss of generality, we may assume that a1 = 0. Then, from (6.7), x = −a1−1 (b1 y + c1 z)
(6.9)
and, substituting this into (6.8), −a2 a1−1 (b1 y + c1 z) + b2 y + c2 z = 0 so that (−a2 a1−1 b1 + b2 )y + (−a2 a1−1 c1 + c2 )z = 0.
(6.10)
Let α = (−a2 a1−1 b1 + b2 ) and β = (−a2 a1−1 c1 + c2 ). Then α = β = 0 =⇒ a2 = a1−1 a2 a1 , b2 = a1−1 a2 b1 , c2 = a1−1 a2 c1 =⇒ (a2 , b2 , c2 ) = λ(a1 , b1 , c1 ) with λ = a1−1 a2 =⇒ L1h , L2h are the same line. Hence, either α = 0 or β = 0. Let us assume that α = 0. Then, from (6.10), y = −α −1 βz and, from (6.9), x = −a1−1 (b1 (−α −1 βz) + c1 z) = (a1−1 b1 α −1 β − a1−1 c1 )z. Therefore, there is a unique point of intersection at [(a1−1 b1 α −1 β − a1−1 c1 )z, −α −1 βz, z] = [a1−1 b1 α −1 β − a1−1 c1 , −α −1 β, 1].
Elliptic Curves 429
Thus, we have actually established the following result. Proposition 6.4.1 Any two distinct lines in P2 (F ) meet in exactly one point. We shall leave the consideration of the intersection of lines with conics to the exercises and pass on to the consideration of the intersection of a line and an elliptic curve. Intersection of a Line with an Elliptic Curve. Consider the following line and elliptic curve L : a1 x + b1 y + c1 = 0 (a1 , b1 not both zero) E : y 2 − (x 3 + ax + b) = 0. (For the current discussion, it is not necessary that E be nonsingular.) In F 2 , L and E may have zero, one, two, or three points of intersection. Now consider P2 (F ). Here we have the homogenized forms L h : a1 x + b1 y + c1 z = 0 E h : y 2 z − (x 3 + axz 2 + bz 3 ) = 0. Case (i) b1 = 0. Suppose that there is a solution with z = 0. As a point on E h we must then have x 3 = 0, or x = 0, so that from L h we have b1 y = 0 or y = 0. However, [0, 0, 0] is not a point in P2 (F ). Consequently, if b1 = 0, then there are no solutions of the form [∗, ∗, 0]. But, for z = 0, [x, y, z] = [xz −1 , yz −1 , 1] so we need only consider solutions with z = 1, which returns us to finding the points of intersection of L and E in F 2 . Since b1 = 0, we have y = − b1−1 (a1 x + c1 ) from L, which we can substitute into E to obtain an equation of the form x 3 + αx 2 + βx + γ = 0. Since F is algebraically closed, we obtain 3 solutions (counting multiplicities) corresponding to 3 points of intersection in P2 (F ). Case (ii) b1 = 0, a1 = 0. Then, from the equation for L h , we obtain x = −a1−1 c1 z. Substituting into E h , we find that 0 = y 2 z − ((−a1 c1 z)3 + a(−a1 c1 z)z 2 + bz 3 ) = z[y 2 − z 2 (−a13 c13 − aa1 c1 + b)] = z[y 2 + z 2 (a13 c13 + aa1 c1 − b)].
(6.11)
430 Introduction to Applied Algebraic Systems
As expected, one solution is given by z = 0. In this case, by (6.11), we also have x = 0, so that [0, y, 0] = [0, 1, 0] is a solution. Now consider the other possibility that y 2 + z 2 (a13 c13 + aa1 c1 − b) = 0
(6.12)
and let α = (a13 c13 + aa1 c1 − b). Case (iia) If α = 0, then by (6.12) we get y 2 = 0, yielding the double point [x, 0, z] = [−a1−1 c1 z, 0, z] = [−a1−1 c1 , 0, 1]. Thus, we have a single point and a double point of intersection, giving a total of three points of intersection, counting multiplicities. Case (iib) Now suppose that α = 0. Since the field F is algebraically closed, there exists an element β ∈ F with β 2 = α. From (6.12) we then have y = ±βz, which yields two distinct solutions if char(F ) = 2 and a repeated solution if char(F ) = 2—namely, [−a1−1 c1 z, ±βz, z] = [−a1−1 c1 , ±β, 1]. Thus, in all cases, counting multiplicities, we have three points of intersection. Theorem 6.4.2 Let F be an algebraically closed field. Then any line and curve of the form y 2 = x 3 + ax + b will have three points of intersection in P2 (F ), counting multiplicities. One immediate consequence of Theorem 6.4.2 is the following corollary, which will be of importance to us when discussing groups on elliptic curves. Corollary 6.4.3 Let F be an algebraically closed field. Let Li : Li (x, y, z) = 0, 1 ≤ i ≤ 3, be three (not necessarily distinct ) lines and let C : L1 (x, y, z)L2 (x, y, z)L3 (x, y, z) = 0. Let E be an elliptic curve. Then, counting multiplicities, E h and C h have 9 points in common in P2 (F ). In fact, what we have just established in Theorem 6.4.2 is a very special case of a much general and deeper theorem that is beyond the scope of this book: Theorem 6.4.4 (Bézout’s Theorem) Let F be an algebraically closed field and Ci : fi (x, y, z) = 0 (i = 1, 2) be curves in P2 (F ) of degrees m and n, respectively,
Elliptic Curves 431
and with no irreducible components in common. Then, with appropriate counting of multiplicities, C1 and C2 have exactly mn points in common in P2 (F ). Bézout’s Theorem can be particularly helpful when the conclusion is violated. In other words, if the curves Ci : fi (x, y, z) = 0 (i = 1, 2) have more than mn points in common, then they must have a common component. This could lead to a factorization of f1 or f2 . Moreover, this can be applied over fields that are not algebraically closed, since by passing to the projective space over a (possibly larger) algebraically closed field, the number of points of intersection can only increase (see section 6.7.) Now, since we are working with points in the projective plane and can identify triples that are nonzero multiples of each other, we know that the only values of z that we have to consider are z = 0, z = 1. So it is tempting just to substitute in these values and see what we get. If we get a complete set of distinct points, then there is no problem. However, whenever there are repetitions, we have to be more careful. When searching for additional points of intersection in P2 (F ), it will sometimes happen that we will want to count a point with z = 0 as a repeated point. If, for example, we arrived at the point where we wished to solve the equation z m g (x, y, z) = 0 where z is not a factor of g (x, y, z), and if the choice of z = 0 led to solutions (x0 , y0 , 0) different from (0, 0, 0), then we would consider each of these solutions as m-times repeated. Exercises 6.4 1. Let F be a family of (at least two) parallel lines in R2 . Show that they intersect at a common point in P2 (R). 2. Let P ∈ P2 (R) but P ∈ ϕh (R2 ), where ϕh is defined as in Lemma 6.2.2. Show that there exist two parallel lines in R2 that intersect in P. 3. Let C : x 2 + y 2 − 1 = 0. Determine the number of points of intersection of C with each of the following lines in the contexts indicated: (i) (ii) (iii) (iv)
x + y − 1√= 0 in R2 . x + y − 2 = 0 in R2 . ix − y + 2 = 0 in C2 and in P2 (C). ix + y = 0 in C2 and in P2 (C).
4. Let C : x 2 /16 + y 2 − 1 = 0. Determine the number of points of intersection of C with each of the following lines in the contexts indicated: (i) x − y = 0 in R2 . (ii) y − 1 = 0 in R2 .
432 Introduction to Applied Algebraic Systems
(iii) y − 3 = 0 in R2 and in C2 . (iv) x − 4iy = 0 in C2 and in P2 (C). 5. Let C : y 2 − 4x = 0. Determine the number of points of intersection of C with each of the following lines in the contexts indicated: (i) (ii) (iii) (iv)
x − y − 2 = 0 in R2 . x − 2y + 4 = 0 in R2 . x − y + 2 = 0 in R2 and in C2 . y − 3 = 0 in R2 , C2 and in P2 (C).
6. Let C : x 2 /4 − y 2 /9 − 1 = 0. Determine the number of points of intersection of C with each of the following lines in the contexts indicated: (i) (ii) (iii) (iv)
x − 3 = 0 in R2 . x − 1 = 0 in R2 and in C2 . 3x − 2y = 0 in R2 , C2 and in P2 (C). 3x − 2y + 2 = 0 in R2 , C2 and in P2 (C).
7. Let C : (x − y + 1)(2x − y + 1) = 0. Determine the number of points of intersection of C with each of the following lines in the contexts indicated: (i) x − 2y + 1 = 0 in R2 . (ii) 2x − 2y + 1 = 0 in R2 , C2 and in P2 (C). 8. Let C : (x − y)(x − y + 1) = 0. Determine the number of points of intersection of C with each of the following lines in the contexts indicated: (i) 2x − y + 1 = 0 in R2 . (ii) 2x − 2y − 3 = 0 in R2 , C2 and in P2 (C). 9. Let C : (x − 1)2 + (y − 1)2 = 0. Determine the number of points of intersection of C with each of the following lines in the contexts indicated: (i) x − 2y + 1 = 0 in R2 . (ii) x − y + 1 = 0 in R2 and in C2 . (iii) x − iy − 1 = 0 in R2 , C2 and in P2 (C). 10. Let C : y 2 − (x − 1)(x − 4)(x − 5) = 0. Determine the number of points of intersection of C with each of the following lines in the contexts indicated: (i) (ii) (iii) (iv) (v)
x − y − 1 = 0 in R2 . x − y = 0 in C2 . x − 2 = 0 in R2 , in C2 and in P2 (C). x = 0 in R2 , in C2 and in P2 (C). x − 1 = 0 in R2 , C2 and in P2 (C).
Elliptic Curves 433
11. Let f (x, y) = x 2 − y 2 + 1, g (x, y) = x 2 − y 2 + 2. Discuss the number of points of intersection of C1 : f (x, y) = 0, C2 : g (x, y) = 0 in the following contexts: (i) R2 . (ii) C2 . (iii) P2 (C). 12. Let f (x, y) = x 3 − 2x 2 y − 3xy 2 + x + 2, g (x, y) = x 3 − 2x 2 y − 3xy 2 + y + 1 ∈ C[x, y]. Determine the points of intersection of C1 : f (x, y) = 0 and C2 : g (x, y) = 0 in P2 (C). 6.5 Defining Curves by Points
In this section we consider the question of how many points it takes to define a curve. We are interested in curves in the projective plane defined by homogeneous polynomials. Since it is the simplest, extends what we already know, and illustrates the general case nicely, we begin with lines. Lemma 6.5.1 Let P1 = [x1 , y1 , z1 ], P2 = [x2 , y2 , z2 ] ∈ P2 (F ) be distinct points. Then there is a unique line in P2 (F ) passing through P1 and P2 —namely, (y2 z1 − y1 z2 )x + (x1 z2 − x2 z1 )y + (−x1 y2 + x2 y1 )z = 0.
(6.13)
Proof. By straightforward subsitution we can verify that P1 and P2 lie on the line given in (6.13). Now consider the general equation of a line in P2 (F ): L : ax + by + cz = 0. Then L passes through P1 and P2 if and only if ax1 + by1 + cz1 = 0 ax2 + by2 + cz2 = 0. We wish to solve these equations for a, b, c (with a, b, c not all equal to zero). Now, not all of x1 , y1 , z1 can be zero since [0, 0, 0] is not a point in P2 (F ). So, without loss of generality, we may assume that x1 = 0. Then we have x1 a + y1 b + z1 c = 0
(6.14)
(y2 − x2 x1−1 y1 )b + (z2 − x2 x1−1 z1 )c = 0.
(6.15)
If y2 = x2 x1−1 y1 and z2 = x2 x1−1 z1 , then x2 x1−1 = 0 (since P2 = [0, 0, 0]) and (x2 , y2 , z2 ) = x2 x1−1 (x1 , y1 , z1 )
434 Introduction to Applied Algebraic Systems
which would imply that P2 = [x2 , y2 , z2 ] = [x1 , y1 , z1 ] = P1 . However, by hypothesis, P1 = P2 . Therefore, one of p = y2 − x2 x1−1 y1 ,
q = z2 − x2 x1−1 z1
must be nonzero. Let us assume that q = 0. Then, from (6.14) and (6.15), we have c = −q −1 pb a = −x1−1 (y1 b − q −1 pz1 b) = −x1−1 (y1 − q −1 pz1 )b and the equation for L becomes −x1−1 (y1 − q −1 pz1 )bx + by − q −1 pbz = 0. We may assume that b = 0 because, if b = 0, then a = c = 0 and we no longer have the equation of a line. Removing the common factor b and multiplying by x1 q ( = 0), we obtain −(y1 q − pz1 )x + x1 qy − x1 pz = 0 or (y2 z1 − x2 x1−1 y1 z1 − y1 z2 + x2 x1−1 y1 z1 )x + x1 qy − x1 pz = 0 which simplifies to (y2 z1 − y1 z2 )x + (x1 z2 − x2 z1 )y + (−x1 y2 + x2 y1 )z = 0. Since the line given by this equation does indeed pass through the points P1 and P2 , it follows that this is the unique line passing through these two points. Next we consider curves defined by homogeneous polynomials of degree n. We need to know the number of monomial terms in such a polynomial. We restrict our attention to polynomials in three variables. Lemma 6.5.2 Let f (x, y, z) ∈ F [x, y, z] be a homogeneous polynomial of degree . n. Then the largest possible number of monomial terms in f (x, y, z) is (n+1)(n+2) 2
Elliptic Curves 435
Proof. For each i with 0 ≤ i ≤ n, consider the number of monomials of degree n (the coefficients are not important here) of the form x i y j z k . We must have j +k =n−i which means that there are precisely n − i + 1 possible choices for the pair (j, k). Tabulating the numbers of possibilities, we have i
# (j, k)
n
1
n−1
2
n−2 .. .
3
0
n+1.
Therefore, the largest possible number of monomial terms is 1 + 2 + 3 + · · · + (n + 1) =
(n + 1)(n + 2) . 2
For each n ∈ N, put the monomials of degree n in some order, m1 (x, y, z), m2 (x, y, z), . . . , mk (x, y, z) where k =
(n+1)(n+2) . 2
Now define a mapping µn : P2 (F ) → F k by
µn ([a, b, c]) = (m1 (a, b, c), m2 (a, b, c), . . . , mk (a, b, c)). Theorem 6.5.3 Let n ∈ N, k = (n+1)(n+2) , and P1 , . . . , Pk−1 be points in P2 (F ). 2 Then there exists a curve defined by a nonzero homogeneous polynomial of degree n that passes through the points P1 , . . . , Pk−1 . The curve is unique if and only if the vectors µn (Pi ), 1 ≤ i ≤ k − 1, are independent in F k . Proof. Let Pi = [xi , yi , zi ]. Let f (x, y, z) ∈ F [x, y, z] be a homogeneous polynomial of degree n with unspecified coefficients. With the notation introduced prior to the theorem, f (x, y, z) has k monomial terms cj mj (x, y, z), 1 ≤ j ≤ k. In order that the curve C : f (x, y, z) = 0 passes through the points Pi , we must have f (xi , yi , zi ) = 0
(1 ≤ i ≤ k − 1).
436 Introduction to Applied Algebraic Systems
Thus, we have k − 1 homogeneous linear equations in the k unknowns cj . Hence, there must exist a nonzero solution. To be more precise, let A be the (k − 1) × k matrix with ith row equal to µn ([ai , bi , ci ]). Let X = [c1 , . . . , ck ]T . Then any nonzero solution to the homogeneous system of equations AX = 0 provides the coefficients for a nonzero homogeneous polynomial f with Pi ∈ V (f ), i = 1, . . . , k − 1. If the vectors µk ([xi , yi , zi ]) are independent, then rank (A) = k − 1 and the dimension of the solution space is 1. Thus, any two nonzero solutions are scalar multiples of each other so that the resulting polynomials are scalar multiples of each other and they define the same curve. On the other hand, if the vectors µk ([xi , yi , zi ]) are not independent, then rank (A) < k − 1 and so the dimension of the solution space for AX = 0 is at least 2. Thus, there will be two nonzero polynomials f1 , f2 that are not scalar multiples of each other with Pi ∈ V (f1 ) ∩ V (f2 ), i = 1, . . . , k − 1. Consider the case of conics. Here, n = 2 so that the number of distinct monic monomials is k=
(2 + 1)(2 + 2) = 6. 2
Let us order these six monomials as follows: x 2 , xy, xz, y 2 , yz, z 2 and define µ2 accordingly. Theorem 6.5.3 tells us that there will be a conic passing through any five points in P2 (F ). Example 6.5.4 Consider the following points in P2 (Q): P1 = [1, 0, 0], P2 = [0, 1, 0], P3 = [0, 0, 1], P4 = [1, 0, 1], P5 = [1, 1, 1]. Then, in matrix form, A =
⎡
⎤ ⎡ µ2 (P1 ) = 1 ⎢ . ⎥ ⎢0 ⎢ .. ⎥ ⎢ ⎢ ⎥ ⎢0 ⎢ ⎥ ⎢ ⎢ ⎥ ⎣1 ⎣ ⎦ 1 µ2 (P5 )
0 0 0 0 1
0 0 0 1 1
0 1 0 0 1
0 0 0 0 1
⎤ 0 0⎥ ⎥ 1⎥ ⎥ 1⎦ 1 .
Elliptic Curves 437
Using the first row, we reduce A to ⎡
1 ⎢0 ⎢ ⎢0 ⎣0 0
0 0 0 0 1
0 0 0 1 1
0 1 0 0 1
0 0 0 0 1
⎤ 0 0⎥ ⎥ 1⎥ 1⎦ 1
0 1 0 0 0
0 0 0 0 1
⎤ 0 0⎥ ⎥ 1⎥ 0⎦ 0
and further reduce it, using other rows, to B =
⎡
1 ⎢0 ⎢ ⎢0 ⎣0 0
0 0 0 0 1
0 0 0 1 0
which clearly has rank 5, so that the vectors µ2 (P1 ), . . . , µ2 (P5 ) are independent and the solution is unique. Reducing A as before, we solve B
⎡ ⎤ c1 = 0 ⎢c2 ⎥ ⎢ ⎥ ⎢ .. ⎥ ⎣.⎦ c6
to obtain
c1 = c3 = c4 = c5 = 0,
c2 = −c5 .
Thus, the unique conic passing through P1 , . . . , P5 is −c5 xy + c5 yz = 0 or xy − yz = 0. There is one situation when it is obvious from the geometry that five distinct points in P2 (F ) do not determine a unique conic. Suppose that P1 , P2 , P3 , and P4 are distinct collinear points—say, P1 , P2 , P3 , P4 ∈ V (l)— where l(x, y, z) ∈ F [x, y, z] is homogeneous of degree 1. Let P5 be a fifth distinct point and li ∈ F [x, y, z], i = 1, 2, 3, 4, be such that V (li ) is the line determined by Pi and P5 (1 ≤ i ≤ 4). Then, P1 , P2 , . . . , P5 ∈ V (ll1 ) ∩ V (ll2 ) ∩ . . . ∩ V (ll4 ) where the V (lli ) are distinct conics.
438 Introduction to Applied Algebraic Systems .... ... .. ... .... .. .. ... .... .. . ... ............. ...... .... ..... 5 ...... ........... . . .. .. .. ..... . . . .. .. .... . . . .. .... .. .... ... .... .. .... .... . .. .... .. .... .. . . .... . . .. . . 1 4 .... .. . . . . . .. .... .. . . . . . .... .. .. . . . . . .... .. .. . . . . . .... .. . .. .... .... .. .. .... .... .. .... .. ... .. .... ... .. . . . . .. .... .. . . . . . .... .. .. . . .... . . .. .. . .... . . . . .. . .. .... . . . . .. . . . . . . ........................................................................................................................................................................................................................................................................................................................................................................... .... . . . .. .. . . ... . . .
r
P
l =0
r
P1
l =0
r
P2
r
P3
l=0
r
P4
However, we will see in section 6.7 that, provided no four of the points are collinear, then five distinct points will determine a unique conic. With the help of Bézout’s Theorem, we can determine one set of circumstances under which we obtain a unique conic without resorting to the calculation of the vectors µn (Pi ) and Theorem 6.5.3. Corollary 6.5.5 Let F be an algebraically closed field. Let P1 , . . . , P5 ∈ P2 (F ) be distinct points and f (x, y, z) ∈ F [x, y, z] be an irreducible homogeneous polynomial of degree 2 such that the curve C : f (x, y, z) = 0 passes through P1 , . . . , P5 . Then C is the unique conic through P1 , . . . , P5 . Proof. Let D : g (x, y, z) = 0 be another curve of degree 2, with g (x, y, z) ∈ F [x, y, z] homogeneous, and passing through P1 , . . . , P5 . Since f is irreducible and F is algebraically closed, V (f ) is irreducible by Corollary 5.6.4. We now consider two cases: Case (i) V (f ) ⊆ V (g ). By Corollary 5.6.4 (i), f divides g . Since deg(f ) = deg(g ) = 2, there must exist λ ∈ F ∗ with g = λf . Case (ii) V (f ) ⊆ V (g ). Then, since V (f ) is irreducible, V (f ) and V (g ) have no irreducible component in common and, by Bézout’s Theorem, |V (f ) ∩ V (g )| = 4, which is a contradiction. Thus, we must have g = λf , for some λ ∈ F ∗ , and V (g ) = V (f ) so that C is unique. Exercises 6.5 1. Show that the criterion in Theorem 6.5.3 is independent of the representatives chosen for the elements of P2 (F ). 2. Show that, for all n ∈ N, there exists an irreducible homogeneous polynomial f (x, y, z) ∈ F [x, y, z] of degree n.
Elliptic Curves 439
3. Use the preceding exercise and Bézout’s Theorem to show that, in general, n 2 points are insufficient to determine a curve in P2 (F ) of degree n ∈ N uniquely. 4. (i) Show that n 2 > (n+1)(n+2) for all n ∈ N, n ≥ 4. 2 (ii) Reconcile (i), Theorem 6.5.3, and the observation in Exercise 3. 5. Let P = [x1 , y1 , z1 ], Q = [x2 , y2 , z2 ] be distinct points in P2 (F ). Show that µ2 (P) and µ2 (Q) are independent vectors in F 6 . 6. Let P = [x1 , y1 , z1 ], Q = [x2 , y2 , z2 ] be distinct points in P2 (F ). Use Theorem 6.5.3 to show that there exists a unique line ax + by + cz = 0 through the points P, Q. 7. Find a conic passing through the points [1, 0, 1], [1, 0, −1],
[1, 1, 0],
[1, −1, 0],
[0, 1, 0]
in P2 (Q). 8. Show that the points [0, 0, 1], [1, 1, 1], [2, 2, 1], [3, 3, 1], [1, −1, 1] ∈ P2 (Q) fail the test in Theorem 6.5.3. Find two distinct conics passing through these points. 9. Show that the conics that you found in Exercise 8 are reducible. 10. Let F be an algebraically closed field, f , g ∈ F [x, y, z] be homogeneous polynomials of degree n, and P1 , . . . , Pn2 +1 be distinct points in V (f ) ∩ V (g ). Show that if f is irreducible, then there exists λ ∈ F ∗ with g = λf .
6.6 Classification of Conics
The material in this section is not required in later sections, but the fact that we are able to classify conics so precisely does focus the spotlight on the natural next step—cubics. From elementary calculus, we are all familiar with the classification of conics (conic sections) in R2 into circles, ellipses, hyperbolas, parabolas, pairs of lines, and points. Somewhat unexpectedly, the classification is much simpler in the projective plane P2 (R). Throughout this section, we will work over the field R. Recall that by a conic we mean a curve in P2 (F ) defined by an equation of the form f (x, y, z) = 0
440 Introduction to Applied Algebraic Systems
where f (x, y, z) ∈ F [x, y, z] is a homogeneous polynomial of degree 2. The most general form for the polynomial f (x, y, z) is f (x, y, z) = ax 2 + by 2 + cz 2 + dxy + exz + fyz. Since we are assuming that F = R in this section, we may rewrite this as f (x, y, z) = ax 2 + by 2 + cz 2 + 2dxy + 2exz + 2fyz f
(where we have simply written d, e, and f as 2( d2 ), 2( 2e ), and 2( 2 )). Using matrix notation, we can then write ⎡
a f (x, y, z) = [x, y, z] ⎣d e
d b fc
⎤ ⎡ ⎤ e x f ⎦ ⎣y ⎦ z
= [x, y, z] A [x, y, z]T where A =
⎡
a ⎣ d e
d b f
⎤ e f ⎦ c
is a symmetric matrix. Now by standard matrix theory, any symmetric matrix is “diagonalizable” (this is known variously as the Spectral Theorem or the Principal Axis Theorem). In other words, there exists an orthogonal matrix M (M −1 = M T where M T denotes the transpose of the matrix M ), such that M −1 A M = diag {d1 , d2 , d3 }. Hence, if we perform the change of variables ⎤ ⎡ ⎤ x x ⎣y ⎦ = M ⎣y ⎦ z z ⎡
Elliptic Curves 441
then we obtain f (x, y, z) = [x, y, z] A
⎡ ⎤ x ⎣y ⎦ z
⎡ ⎤ x ⎣y ⎦ z ⎡ ⎤ = [x , y , z ] M −1 A M x ⎣y ⎦ z ⎡ ⎤ = [x , y , z ] diag {d1 , d2 , d3 } x ⎣y ⎦ z = [x , y , z ] M T A M
= d1 (x )2 + d2 (y )2 + d3 (z )2 . Since V (f1 ) = V (−f1 ), we may assume that di ≥ 0 for at least two values of i. By means of a simple exchange of variables, we can also assume that d1 > 0. Then we can perform a further change of variable x = e1 x , where e12 = d1 , to eliminate the coefficient d1 . We can similarly eliminate d2 and d3 if either of them is nonzero. By a further change of variables we can also interchange the variables (for example, x = y , y = z , z = x ). Thus, by a suitable change of variables, we can transform f (x, y, z) into one of the following forms: (1) X 2 = 0. (2) X 2 + Y 2 = 0. (3) X 2 − Y 2 = 0. (4) X 2 + Y 2 + Z 2 = 0. (5) X 2 + Y 2 − Z 2 = 0. Now the combined effect of the various changes of variables has still been linear. In other words, there is a 3 × 3 matrix C such that ⎡ ⎤ ⎡ ⎤ x X ⎣y ⎦ = C ⎣ Y ⎦ z Z .
442 Introduction to Applied Algebraic Systems
In addition, each of the transformations is reversible. In other words, the matrix C is invertible and ⎡ ⎤ ⎡ ⎤ X x ⎣Y ⎦ = C −1 ⎣y ⎦ Z z . Let C −1 = D =
⎡
d11 ⎣d21 d31
d12 d22 d32
⎤ d13 d23 ⎦ d33 .
Now let us have a look at this resulting categorization of conics into five classes: (1) X 2 = 0. This corresponds to (d11 x + d12 y + d13 z)2 = 0 the product of a line with itself. (2) X 2 + Y 2 = 0. This defines the single point [0, 0, 1] in P2 (R) and corresponds to the point of intersection of the two lines d11 x + d12 y + d13 z = 0,
d21 x + d22 y + d23 z = 0.
(3) X 2 − Y 2 = 0. This factorizes as (X − Y )(X + Y ) = 0 and consists of the two lines X − Y = 0, X + Y = 0. (4) X 2 + Y 2 + Z 2 = 0. The only solution in real numbers is X = Y = Z = 0. However, [0, 0, 0] is not a point in P2 (R), and so there is no solution in this case. (5) X 2 + Y 2 − Z 2 = 0. Putting Z = 0 would force X = Y = 0. Again, since [0, 0, 0] is not a point in P2 (R), there is no solution with Z = 0. Thus, we may assume that Z = 1 and then the equation becomes the equation of a circle: X 2 + Y 2 = 1.
Elliptic Curves 443
6.7 Reducible Conics and Cubics
Here we give some consideration to reducible conics and cubics. If a homogeneous cubic polynomial is reducible, then one of the factors must be linear. Since elliptic curves are defined by irreducible polynomials, we were able to get by without considering this situation. However, since so much of our discussion concerns the number of points of intersection of curves, it is interesting to see how this has a bearing on the factorization of polynomials. Bézout’s Theorem tells us that a line and a cubic with no common component will have three points of intersection (over an algebraically closed field). So, what if a line and a cubic have four points in common? By Bézout’s Theorem, they must have a common component. However, a line is clearly irreducible and so can have only one component—namely, itself. Thus the line must be a part of the cubic curve. Theorem 6.7.1 Let F be an algebraically closed field and f (x, y, z), g (x, y, z), h(x, y, z) ∈ F [x, y, z] be homogeneous polynomials of degree 1, 2, and 3, respectively. Let the corresponding line, conic and cubic in P2 (F ) be L : f (x, y, z) = 0 Cg : g (x, y, z) = 0 Ch : h(x, y, z) = 0. (i) If L and Cg have three points in common (counting multiplicities), then f (x, y, z) divides g (x, y, z) and L is a component of Cg . (ii) If L and Ch have four points in common (counting multiplicities), then f (x, y, z) divides h(x, y, z) and L is a component of Ch . Proof. (i) By Bézout’s Theorem, Theorem 6.4.4, we see that L and Ch must have a component in common. However, L is a line, f (x, y, z) is irreducible, and so V (f ) is also irreducible. Hence, V (f ) ⊆ V (Ch ) and, by Corollary 5.6.4, f divides h. Part (ii) follows similarly. Our proof of Theorem 6.7.1 depended critically on Bézout’s Theorem, which only works in P2 (F ) over an algebraically closed field. However, with slightly stronger hypotheses we can consider a slightly weaker result, but with a more elementary proof. Theorem 6.7.2 Let f (x, y, z), g (x, y, z), h(x, y, z) ∈ F [x, y, z] be homogeneous polynomials of degrees 1, 2, and 3, respectively. Let the corresponding line, conic, and cubic in P2 (F ) be L : f (x, y, z) = 0 Cg : g (x, y, z) = 0 Ch : h(x, y, z) = 0.
444 Introduction to Applied Algebraic Systems
(i) If L and Cg have three distinct points in common, then f (x, y, z) divides g (x, y, z) and L is a component of Cg . (ii) If L and Ch have four distinct points in common, then f (x, y, z) divides h(x, y, z) and L is a component of Ch . Proof. We will prove (ii) and allow you to construct the parallel argument for (i). Let f (x, y, z) = lx + my + nz h(x, y, z) = ax 3 + bx 2 y + cx 2 z + dxy 2 + exyz + hxz 2 + ky 3 + py 2 z + syz 2 + tz 3 . We will assume that l = 0. Similar arguments apply if m = 0 or l = m = 0 and n = 0. Then l −1 f (x, y, z) determines the same line, and so we may assume that l = 1. By Theorem 5.3.2, we can write h(x, y, z) = (x + my + nz)q(x, y, z) + r(y, z)
(6.16)
for some q(x, y, z) ∈ F [x, y, z], r(x, y) ∈ F [y, z]. Moreover, the division process in Theorem 5.3.2 ensures that q is homogeneous of degree 2 and that r is either equal to zero or is homogeneous of degree 3. Hence, r(y, z) = h(x, y, z) − (x + my + nz)q(x, y, z) can be written as r(y, z) = αy 3 + βy 2 z + γ yz 2 + δz 3
(6.17)
for some α, β, γ , δ ∈ F . Now let Pi = [xi , yi , zi ], 1 ≤ i ≤ 4, be four distinct points lying on both L and C. Then, f (xi , yi , zi ) = 0 = h(xi , yi , zi ) and, from (6.16) and (6.17), we obtain four equations in α, β, γ , δ: yi3 α + yi2 zi β + yi zi2 γ + zi3 δ = 0
(6.18)
for 1 ≤ i ≤ 4. So suppose that zi = 0 for all i. Divide the ith equation in (6.18) by zi3 and write vi = yi /zi . Then we have the system of equations vi3 α + vi2 β + vi γ + δ = 0
(1 ≤ i ≤ 4).
Let the matrix of coefficients be A. Then, by Lemma 5.2.7, det (A) =
(vi − vj )
1≤i<j≤4
Elliptic Curves 445
which will be nonzero provided vi = vj for all i, j. However, yj yi = zi zj zj =⇒ yj = yi = λyi zi zj where λ = zi
vi = vj =⇒
=⇒ xj = lxj = −myj − nzj (recalling that l = 1) = λ(−myi − nzi ) = λxi =⇒ xj = λxi , yj = λyi , zj = λzi . Thus, vi = vj would imply that [xi , yi , zi ] = [xj , yj , zj ] in P2 (R), which is a contradiction. Hence, vi = vj and det (A) = 0. It follows that the system (6.18) has a unique solution α=β=γ =δ=0 and, from (6.16), we have h(x, y, z) = f (x, y, z)q(x, y, z) as required. Now consider the case where zi = 0 for some i. A line (other than z = 0) contains only one point at infinity and therefore the remaining zj must be nonzero. Also, yi = 0, since no point of the form (xi , 0, 0) can lie on L (recall that [0, 0, 0] ∈ P2 (R)). Hence, the corresponding equation in (6.18) will show that α = 0. There then remain three other equations in β, γ , δ together with three points with third components nonzero. We may now proceed as in the first case. In section 6.5, we saw that there is a conic through any five points in P2 (F ), but that the conic would not be unique if four of the points are collinear. We will now see that if no four of the points are collinear then the conic is indeed unique. Theorem 6.7.3 Let F be an algebraically closed field and P1 , . . . , P5 ∈ P2 (F ). Let f , g ∈ F [x, y, z] be homogeneous polynomials of degree 2 with P1 , . . . , P5 ∈ V (f ) ∩ V (g ). (i) f is irreducible if and only if no three of the Pi are collinear. (ii) If f is irreducible, then V (f ) = V (g ). (iii) If f is reducible and no four of the Pi are collinear, then V (f ) = V (g ).
446 Introduction to Applied Algebraic Systems
Note. We do not assume that the points P1 , . . . , P5 are distinct. If, for instance, P1 = P2 , then whenever we have two curves intersecting at P1 = P2 , we count it as a double point of intersection and so on. However, we will not emphasize this point in the proof. Proof. (i) Let f be irreducible. Suppose that three of the points lie on a line L : l(x, y, z) = 0. By Theorem 6.7.1, L must divide f , which contradicts the assumption that f is irreducible. Hence, no three of the points are collinear. Conversely, if f is reducible, then there must exist linear polynomials l1 , l2 with f = l1 l2 and V (f ) = V (l1 ) ∪ V (l2 ). Hence, either three of the points lie in V (l1 ) or three lie in V (l2 ). Thus, if f is reducible, then three of the points must be collinear. (ii) By Corollary 5.6.4, we know that V (f ) is irreducible. If V (f ) ⊆ V (g ), then V (f ) and V (g ) have no irreducible component in common and, by Bézout’s Theorem, |V (f ) ∩ V (g )| = 2 × 2 = 4, which is a contradiction. Hence, we can assume that V (f ) ⊆ V (g ). Then, by Corollary 5.6.4, f divides g . But, deg(f ) = deg(g ) = 2. Hence there exists λ ∈ F ∗ with g = λf so that V (f ) = V (g ). (iii) Now suppose that f is reducible. If g is irreducible, then by part (ii), with the roles of f and g reversed, we have f = λg , for some λ ∈ F ∗ , which would imply that f is also irreducible, which is a contradiction. Hence we can assume that g is also reducible. Since deg(f ) = deg(g ) = 2, there must be homogeneous linear polynomials l1 , l2 , m1 , m2 ∈ F [x, y, z] of degree 1 with f = l1 l2 ,
g = m 1 m2 .
Since P1 , . . . , P5 ∈ V (f ) = V (l1 ) ∪ V (l2 ), either l1 or l2 must contain three of the points P1 , . . . , P5 . Without loss of generality, we can assume that P1 , P2 , P3 ∈ V (l1 ). Since no four of the points are collinear, we must have P4 , P5 ∈ V (l2 ). Now, since P1 , P2 , P3 ∈ V (g ), either V (m1 ) contains two of them or V (m2 ) contains two of them. Again, without loss of generality, we can assume that two of them lie in V (m1 ). However, two distinct lines intersect at, at most, one point. Hence, V (l1 ) = V (m1 ). Since P4 , P5 ∈ V (l1 ) = V (m1 ), we must have P4 , P5 ∈ V (m2 ). Hence, since V (l2 ) and V (m2 ) are also lines, V (l2 ) = V (m2 ). Now l1 , l2 , m1 , and m2 are all linear and therefore irreducible. Hence, by Corollary 5.6.4 (i), there are λ, µ ∈ F ∗ such that m1 = λl1 ,
m2 = µl2
from which we conclude that g = m1 m2 = (λl1 )(µl2 ) = λµl1 l2 = λµf .
Elliptic Curves 447
Exercises 6.7 1. Let F be an algebraically closed field and f (x, y, z), l(x, y, z) ∈ F [x, y, z] be homogeneous polynomials of degree n and 1, respectively. Let |V (f ) ∩ V (l)| ≥ n + 1. Show that l divides f . 2. Let F be an algebraically closed field and f (x, y, z), k(x, y, z) ∈ F [x, y, z] be homogeneous polynomials of degree n and 2, respectively, where n ≥ 3. Let P1 , . . . , P2n+1 ∈ V (f ) ∩ V (k) be such that no four of the points are collinear. Show that k divides f . ∗ 3.
Let F be an algebraically closed field and f (x, y, z) ∈ F [x, y, z] be homogeneous polynomials of degree 3 and suppose that no four of the points P1 , . . . , P10 ∈ V (f ) are collinear and no eight lie on a conic. Show that V (f ) is the unique cubic through the points P1 , . . . , P10 .
4. In each of the following cases, show that any conic passing through the points in P2 (F ) listed must be reducible, without calculating the conics: (i) [1, 0, 0], [1, 1, 1], [1, 0, 1], [0, 1, −1], [0, 0, 1]. (ii) [0, 1, 0], [1, 1, 1], [1, 0, 0], [1, 0, 1], [1, 1, 0]. (iii) [1, 1, 0], [0, 1, 0], [1, 1, 1], [0, 1, 1], [2, 2, 3]. 6.8 The Nine-Point Theorem
The main result in this section shows that there are interesting consequences from the restriction on the number of points of intersection with elliptic curves. This will be critical when considering the associative law for groups on elliptic curves. Those readers willing to take the associative law on faith may skip this section though, by doing so, they will miss a lovely piece of geometry. A general homogeneous cubic in F [x, y, z] has up to 10 monomial terms so that we need at least nine points to specify it uniquely. If we have only eight points then there will be independent solutions in Theorem 6.5.3. In some circumstances, two solutions will be sufficient to describe all the solutions. All that we are doing is taking advantage of the fact that the set of solutions to the system of equations AX = 0 in Theorem 6.5.3 is a subspace of F k and, if that subspace is of dimension two, then it must have a basis of two vectors. Theorem 6.8.1 (The Nine-Point Theorem) Let F be an algebraically closed field and fi (x, y, z) ∈ F [x, y, z], i = 1, 2, 3 be homogeneous cubics such that the curves V (f1 ) and V (f2 ) have no common irreducible components. Let P1 , . . . , P8 ∈ V (f1 ) ∩ V (f2 ) ∩ V (f3 ). Then, (i) no four of the points P1 , . . . , P8 are collinear (ii) there exist λ, µ ∈ F with f3 = λf1 + µf2 (iii) P9 ∈ V (f1 ) ∩ V (f2 ) =⇒ P9 ∈ V (f3 ).
448 Introduction to Applied Algebraic Systems
Proof. For the sake of simplicity, we will assume that the points P1 , . . . , P8 are distinct although, with careful attention to the multiplicity of intersections, we may dispense with this assumption. (i) If four of the points—say P1 , . . . , P4 —lie on a line L, then by Theorem 6.7.1 (ii), L is a common component of V (f1 ) and V (f2 ), which is a contradiction. (ii) Let L : l(x, y, z) = 0 C : k(x, y, z) = 0
be a line through P1 and P2 be a conic through P3 , . . . , P7 .
Such a line and curve exist by Theorem 6.5.3. Since no four of the points P3 , . . . , P7 are collinear, it follows from Theorem 6.7.3, that C is uniquely determined. There are now three cases depending on whether P8 lies on L, or on C, or on neither. Case (1). P8 lies on L. Let Q1 = [x1 , y1 , z1 ] be a point on L that is different from P1 , P2 , and P8 . Let Q2 = [x2 , y2 , z2 ] be a point that is on neither L nor C (see the following diagram.) Consider the equations cf3 (x1 , y1 , z1 ) + c1 f1 (x1 , y1 , z1 ) + c2 f2 (x1 , y1 , z1 ) = 0
(6.19)
cf3 (x2 , y2 , z2 ) + c1 f1 (x2 , y2 , z2 ) + c2 f2 (x2 , y2 , z2 ) = 0.
(6.20)
As a system of two homogeneous linear equations in the three unknowns c, c1 , c2 , there is a nonzero solution, which we will just denote by c, c1 , and c2 . Let d(x, y, z) = cf3 (x, y, z) + c1 f1 (x, y, z) + c2 f2 (x, y, z)
(6.21)
and D = V (d). By the construction of D, we have P1 , . . . , P8 , Q1 , Q2 ∈ V (d). If d(x, y, z) = 0 and c = 0, then f3 (x, y, z) = −c −1 c1 f1 (x, y, z) − c −1 c2 f2 (x, y, z) and we have the desired result. All other cases lead to a contradiction. If d(x, y, z) = 0 and c = 0, then at least one of c1 and c2 is nonzero (say, c1 ), so that f1 (x, y, z) = c1−1 c2 f2 (x, y, z) which contradicts the assumption that f1 and f2 have no common component. We will now show that the assumption d(x, y, z) = 0 also leads to a contradiction. Since d(x, y, z) = 0, V (d) is a line, conic, or cube. From (6.21) and the hypothesis, we have that P1 , . . . , P8 ∈ V (d), and from (6.19) and (6.20) we have that Q1 , Q2 ∈ V (d).
Elliptic Curves 449
P5 ............... . ..........r.................... ....... . . . . . . . . . . . . . . ......... . . . . . P4 ...... ....... . ...r. P6 ............. . r . . . . . . . . ....... . . . . . . .. ... ...... .... .... ..... ... .. .. ... ............ r P7 ... .... ................ ....r.. ............. . .. P3 ..... ....... ..r ... ... Q2 . C . . . . D ... . ....................... ... ........ ..... L ............r...........................................................r..............................................r..........................................................r............................................................. .................. ................. Q1 P2 P8 P1 Now L and V (d) have four points (P1 , P2 , P8 , and Q1 ) in common. Hence, by Theorem 6.7.1 (ii), l(x, y, z) divides d(x, y, z)—say, d(x, y, z) = l(x, y, z) q(x, y, z) where, since V (d) is a line, conic, or cubic, either q is a constant or V (q) must be a line or conic. We now have that P1 , . . . , P8 ∈ D = V (d), P1 , P2 , P8 ∈ L = V (l), but no four of P1 , . . . , P8 are collinear by part (i). It follows that P3 , P4 , P5 , P6 , P7 ∈ V (q). However, C is the unique conic through these points, so that V (q) = C. But this implies that D = V (l) ∪ V (q) =L∪C which does not contain Q2 by the way that Q2 was chosen. Thus, we have a contradiction, since D was specifically constructed to pass through Q2 . Case (2). P8 lies on C. Let Q1 = [x1 , y1 , z1 ] be a point on C different from P3 , . . . , P8 and again choose Q2 = [x2 , y2 , z2 ] to be a point that is neither on L or C. Let d(x, y, z) and D = V (d) be defined as before. As in Case (1), if d(x, y, z) = 0, we either have the desired result or a contradiction. So again it suffices to show that d(x, y, z) = 0 leads to a contradiction. We break the argument into two cases. Case (2a). C irreducible. We have |C ∩ D| ≥ 7 > 2 × 3 = 6 so that, by Bézout’s Theorem, C and D must have a component in common. However, C is irreducible. Hence, C ⊆ D and, by Corollary 5.6.4, k(x, y, z) divides d(x, y, z)—say, d(x, y, z) = k(x, y, z) m(x, y, z)
450 Introduction to Applied Algebraic Systems
....... P5 ................................ P6 ....r...... ..... . r . . . . .... ........ . ........ . . . ..... .... P7 P4 ............ ..............r....... . . .......r..... . . . . .... ....... . . . ... .. .. .. .... ... .. .. . .. ...r. P8 . P3 ......r... .. ... . ... .... ... .......... r Q1 C ............. . . . . . .. . . . ...........r ......... r . ......... Q2 r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................................................................................................. . ....... . L . . ........ .... ....... ............. P1 .............................. P2 D where, matching degrees, we see that m is homogeneous and linear. Thus, M = V (m) is a line and D = C ∪ M. Now, by Bézout’s Theorem, if P1 ∈ C, then we can argue P1 ∈ C =⇒ |C ∩ V (f1 )| = | {P1 , P3 , . . . , P8 } | ≥ 7 > 6 =⇒ C and V (f1 ) have a common component =⇒ C ⊆ V (f1 ) since C is irreducible and, similarly, C ⊆ V (f2 ). This contradicts the hypothesis that V (f1 ) and V (f2 ) have no common components. Hence, P1 ∈ C and, likewise, P2 ∈ C. But, P1 , P2 ∈ D so that we must have P1 , P2 ∈ M . Since two points determine a line, hence M = L and D = C ∪ L. However, D contains Q2 whereas C ∪L does not. Thus we have a contradiction again. Case (2b). C reducible. Since C is a conic, the only possibility is that k(x, y, z) = l1 (x, y, z)l2 (x, y, z) and C = L1 ∪ L2 where L1 = V (l1 ) and L2 = V (l2 ) are lines. No four of P3 , . . . , P8 are collinear, so three (say, P3 , P4 , P5 ) lie on L1 and three (say, P6 , P7 , P8 ) lie on L2 . Since Q1 ∈ C by choice, we may assume that Q1 ∈ L1 . Then, |L1 ∩ D| ≥ 4 and by Theorem 6.7.1 (ii), l1 divides d—say, d = l1 q1 where V (q1 ) must be a conic. Then, P6 , P7 , P8 ∈ L2 ∩ V (q1 ) and, by Theorem 6.7.1 (i), l2 divides q1 —say, q1 = l2 l3
Elliptic Curves 451
where l3 must be linear. Thus, d = l1 l2 l3 . Since no four of P1 , . . . , P8 are collinear, P1 , P2 ∈ L1 ∪ L2 . Hence, P1 , P2 ∈ V (l3 ) and, since a line is defined by two points, V (l3 ) = L. Thus, D = L1 ∪ L2 ∪ L = C ∪ L where Q2 ∈ D but Q2 ∈ C ∪ L. Thus we again have a contradiction. Case (3). P8 lies on neither C nor L. We divide this case into two subcases. Case (3a). One of P3 , . . . , P7 lies on L. By part (i) of the theorem, no more than one can lie on L. Without loss of generality, we may assume that P3 ∈ L. Choose Q1 ∈ L and distinct from P1 , P2 , and P3 . Choose Q2 ∈ C such that Q2 ∈ L and Q2 is not collinear with any three of the four points P4 , P5 , P6 , and P7 . Then no four of the points P4 , P5 , P6 , P7 , and Q2 , are collinear so that, by Theorem 6.7.3, C is uniquely determined by the points P4 , P5 , P6 , P7 , Q2 . Let d(x, y, z) and D = V (d) be defined as in Case (1). If d(x, y, z) = 0, then, as before, we either obtain the desired conclusion or a contradiction, so that it remains to show that we also obtain a contradiction if d(x, y, z) = 0. First we see that L and D have four points (P1 , P2 , P3 , Q1 ) in common so that L must be a component of D (Theorem 6.7.1 (ii)). Let d(x, y, z) = l(x, y, z) q(x, y, z) where V (q) must be a conic. P6 ............... . ...........r.................... ... ....... . . . . . . . . . . . . . . . . . .... ..... . . . . P5 ...... ....... ....r.....P7 .............. . r . . . . . . . . . . .. .... . . . . . . . ... ..... ... .. ...... ..... ... .. .... ..........r Q2 ... ..... ................ . P4 ....r. ............. . . . .. ....... . . .. ..r . . . C . . D ... P8 . . . . . . . . ....................... . ...... .... . ... ..... ....... L ............r............................................................r....................................................r...........................................................r............................................................ .................. ................. Q1 P2 P3 P1
452 Introduction to Applied Algebraic Systems
Since no four of P1 , . . . , P8 are collinear, none of P4 , . . . , P7 ∈ L and, by choice, Q2 ∈ L. Hence, P4 , . . . , P7 , Q2 ∈ V (q). Thus, V (q) and C, both conics, have five points in common, which implies that they have an irreducible component in common. If either V (q) or C is irreducible, then it follows that both must be irreducible and that V (q) = C. If they have a linear component in common, then both are products of two lines. Since no four of P4 , . . . , P7 , Q2 are collinear, V (q) and C must be the product of the same two lines and therefore C = V (q). Hence, D = V (l) ∪ V (q) = L ∪ C where P8 ∈ D but P8 ∈ L ∪ C. Thus we have a contradiction. Case (3b). None of P3 , . . . , P7 lies on L. Let Q1 and Q2 be two distinct points on L distinct from P1 and P2 . Let d(x, y, z) and D = V (d) be defined as in Case (1). Again, if d(x, y, z) = 0, then we either obtain the desired result or a contradiction, so that it remains to show that d(x, y, z) = 0 leads to a contradiction. As before, C is uniquely determined by the points P3 , . . . , P7 . In this case, L and D have four points in common so that L must be a component of D (Theorem 6.7.1 (ii)). Let d(x, y, z) = l(x, y, z) q(x, y, z) where V (q) must be a conic. P5 ............... . ...........r................... ....... . . . . . . . . . . . . . ......... . . . . P4 .. .... ....... ....r. P6 ............. . r . . . . . . . . .. ..... . . . . . . .. .. .... . ... .. .. ....... ..... .... .. .... ............ r P7 . ................ . . . P3 ...r... ............. . .. . .. ....... . . .. ..r . C D .... P8 . . . . ....................... .... . ... ..... ....... L ...........r...........................................................r..............................................r...........................................................r............................................................ ................. ................. Q1 Q2 P2 P1 Then, P3 , . . . , P7 ∈ V (q) ∩ C. By the uniqueness of C, we must have V (q) = C. Thus, D = V (l) ∪ V (q) = L ∪ C where P8 ∈ D but P8 ∈ L ∪ C, a contradiction. (iii) This part follows immediately from part (ii).
Elliptic Curves 453
6.9 Groups on Elliptic Curves
Let us consider an elliptic curve: E : y 2 = x 3 + ax + b,
4a 3 + 27b 2 = 0
or (in homogeneous terms) of the form E : y 2 z = x 3 + axz 2 + bz 3 ,
4a 3 + 27b 2 = 0.
There are several important points to observe here. (1) The condition 4a 3 + 27b 2 = 0 ensures that E is nonsingular and that there exists a tangent at each point. (2) From Exercise 11 in section 5.2, f (x, y) = y 2 − (x 3 + ax + b) is irreducible and, therefore, so also is f h . (3) Substituting z = 0 into the homogeneous form of the equation for E, the equation reduces to x 3 = 0. Thus we have a triple point of intersection at [0, 1, 0]. In other words, the tangent to E at [0, 1, 0] has a third point of intersection with E at [0, 1, 0]. For the time being, we will assume that we are working within an algebraically closed field F and that E ⊆ P(F 2 ), although the difference between E as a projective curve and E as an affine curve is just the one point at infinity. Now fix a point O, which we will call the base point, on E. We define a binary operation + on E as follows. Let P and Q be arbitrary points on E. Let L denote the line through P and Q. If P = Q, then we take L to be the tangent at P. By Theorem 6.4.2, L and E intersect in three points. Let P ◦ Q denote the third point. Now let the line through P ◦ Q and O meet E in R. Then we define P +Q =R or p + Q = (P ◦ Q) ◦ O.
454 Introduction to Applied Algebraic Systems
Several possible configurations are presented in the next few diagrams:
O
... ..... ..... ..... . . . . . ...... ..... ..... ..... . . . . . .... .... ..... ..... . . . . . ..... ..... ......................................................... ... . ............ ....... ............................................................................................................................................................................................................................................................................................................................................................. . . . . . ........ ... .... ................................................................................................................................. . . . . . . . . . . . . . . . . . . . . . . . . . . ... .. ... .. ... ... ... .... ... ... ....... ... ...... . . .......... . . . .... . . ... . .................. . . . . . . . .... . . . . . . . ......................... ..... ..... ..... ....... .... .... ..... ..... ..... ..... ...... ...... ..... ...... ..... ...
rQ r P +Q
Pr r
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...................................................... ......... ... .................... ...... ... ...... .... ...... ..... .. . ....... .. ....... ... . . ... ....... . . .. . . . . ... ............ . . . ....... .................... ... .................................... ... ... ... ... ... ... ... ... ... ... ... ... ... .
O rP +Q
r P ◦Q
.. ... .... ... ..... ... .... . . . . . ... . ... ...... ..... ... ..... ... .... ... . . . ... ...... .. .. ..... ............ . . . . .. .... . . . . ... ..... ... .... ... ... ... . .... . ... .... ... .... ... ... ... ... ... ... .... ... ..... . ..... ..... ..... ...... .. ........ . ..... ....... ... ...... ..... ... ..... ... ...... ... ...... .... ...... ..... .. ..... ... ..... .
r
P
rQ
... .. ... .... .. . .. .. . . ... .. ... ... . . .... ..... ..... ..... . . . . ................................................. ... .............. ......... ... ........ ...... ... ..... ...... .... . . . ... . . . ... ... .. . ... ... .. ............ ..... .. ... ............. ..... ... .... .... .......... . . . . .......... ....... ... .. . . . . . .......... .... . . . . . . .................................. .......................... ..... .................... ........ .......... ........ .......... ... ..... .......... ... ..... .......... ... .... .......... ... ... .......... ... .... .......... ... .. .......... ... ... .......... ... .. ... .. .......... ... .. .......... ... .. .......... . . .......... .......... ...... .... .......... ... .. ................ ........... . ... ...... .............. ...
Or
r 2P
rP =Q
rP ◦ Q
Elliptic Curves 455
O=∞
... .... ... ..... ... ..... ... ..... . . . ... . . ... ..... ... .......... ... ................. ..... . . . . . . . . . . . . . . . . . . ..... . . .................... ........ .... .................... ... .... ................... ... ...... .................... . . . . . . . . . . . . . . . . . . . . . .... . . .. ....... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . . . . . . . . ..... ........... ..... . . . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . ....... . .... ............................ . . . . . ... . . . .... . . ... ................... . . ... . ... . ... .. ... .. .... . . ... ... . ... . . ..... . . . . ... . . .... ........ .. . . . . . ... . . ............ . ..... ... ......................................................... ...... ...... .... ...... .... .... .... ... ...... ...... ... ...... .... ....... ...... ... ...... ... ..... ... ...... ... ..... ... ...
r
Qr
Pr
P ◦Q
rP + Q
It is the following fact that makes elliptic curves so interesting to geometers and cryptographers alike. Theorem 6.9.1 (E, +) is an abelian group. Proof. Clearly, + is commutative. Identity. Let P ∈ E. The line through O and P then intersects C at a third point which we denote by Q. Turning this around, the third point on E and the line through Q and O is just P. Thus, P + O = (P ◦ O) ◦ O = Q ◦ O = P and O is the identity.
...... ........ ........ ........ . . . . . . . . ......... ..................... ........................... ........................... ........................ ........... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................. . .. ............... .......... .............................................. ..... .......... ... .... ....... .............................. .... ... ... ........................ . .................................................. . .. .... . ....................... ... ... .... ... ...... .... . . . .... . . . ......... ... . . ..... . . . ............... . . . . ...... ........................................... ...... ...... ......... ......... ......... ........ ........ ........ ........ .
r
O
r
Pr
Q
Inverse. Let L be the tangent at O. Then L must meet E at a third point S, say. Now let the line through P and S intersect E in a third point P . Then the third point on E and the line through P and P is S and the third point on E and the line through S and O is O. Thus, P + P = O and P is the inverse of P.
456 Introduction to Applied Algebraic Systems .. ...... ...... ..... . . . . . . .. ...... ...... ..... ..... . . . ..... .... .... .... . .............. . . . .............. ...... ........................ ...... .................. ........................... .... ......... . . . . . . . . . . . . . . . . . . . . . . . . . . . .... ................ . .... .............. ... .. .. .............. .... .... . .............. .............. ... .. . . . . .............. . ..... .............. ..... ..... ........ .. ............ ........ ............................................................................................................................................................................................................................................................... ................... ..... ................ ..... .. .... .... ..... ..... ..... ..... ...... ...... ....... ...... ...... ...... .....
P
r
rP
Or
r
... . ... . ... . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ ............ ......... ........ . . ....... . . . . .. . . .. .... .... .... . .. ... . ... ..... .... ....... ... . . . . . .......... . . ........ .. ..................... .................................. .. ... . .... ... .
P
r r
−P
S=O
L: z =0
S
L
.. .... ..... ..... . . . . . ...... ..... ..... ..... . . . . . .... .... .... ....... . . . . .. ..... ..... ... ... . .. ... .... ... ... ... .... ..... ..... ..... ...... ...... .... .... ..... ..... ..... ..... ...... ...... ..... ...... ..... ...
Associativity. It would be so easy to overlook the issue of associativity. In so many circumstances, it follows easily because we are dealing with numbers, matrices, or composition of functions. Here it is not at all clear that the associative law will hold, and its verification depends on the (far from obvious) Nine-Point Theorem. Let P, Q, R be any points on the curve. Let the line L1 through P and Q meet E in a third point S, the line L4 through S and O meet E in a third point T , and the line L2 through T and R meet E also in U . Then P + Q = T and (P + Q) + R is the third point on E and the line through O and U . Similarly, let V denote the third point on E and the line L5 through Q and R, W be the third point on E and the line L3 through O and V , and U be the third point on E and the line L6 through P and W . Then, Q + R = W and P + (Q + R) is the third point on E and the line through O and U . Thus we will have P + (Q + R) = (P + Q) + R if we can show that U = U .
Elliptic Curves 457
.. ... ... ... ... ... ......................................................................................................................................................................................................................................................................................................................................................................... ... ... ... ... .... .... ... ... ... ... .... .... ... ... ... ... .... .... .... ... ... ... ... ... ... ... ... ... ... ... ... ... .... .... ... ... ... ... ... ... . . .................................................................................................................................................................................................................................................................................................................................................................... ... ... ... ... ... .. ... ... ... ... ... ... ... ... ... ... ... ... .... .... .... ... ... ... ... ... ... ... ... ... ... ... ... ... .... .... ... ... ... ... ... ... . . .................................................................................................................................................................................................................................................................................................................................................................... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .... .... .... ... ... ... ... ... .... ... ... ... ... ... ... ... .... .... . . ..
W
P
V
Q
O
S
L3
U r
rU
R
L6
L5
L4
T
L1
L2
For each i, let li (x, y, z) = 0 define the line Li . To keep the notation simple, we will write li = li (x, y, z). Let f1 (x, y, z) = l1 l2 l3 f2 (x, y, z) = l4 l5 l6 . Since E is irreducible, C1 : f1 (x, y, z) = 0 and E are cubic curves with no common component and they intersect in the nine points O, P, Q, R, S, T , U , V , W . On the other hand, the curve C2 : f2 (x, y, z) = 0 also passes through the eight points O, P, Q, R, S, T , V , and W . Hence, by Theorem 6.8.1 (the Nine-Point Theorem), C2 must also pass through the ninth point, U , in the intersection of E and C1 . However, E and C2 also intersect in U . Since, in total, E and C2 intersect in exactly nine points, it follows that U must equal U . (Note that other possibilities, such as U = R and L6 also passing through R won’t work because we count multiplicities of intersection. L6 would then have four points of intersection with E and therefore divide E, which would be a contradiction.) Therefore, P + (Q + R) = (P + Q) + R and the operation + is associative. Note that the points O, P, . . . , W may not all be distinct, nor need the lines all be distinct. However, this presents no problems, when the multiplicities are counted appropriately. Exercises 6.9 1. Show that the operation ◦ is not associative. (A proof “by diagram” is sufficient).
458 Introduction to Applied Algebraic Systems
2. For any points P, Q, R, S on E, establish the following: (i) P ◦ Q = Q ◦ P. (ii) (P ◦ Q) ◦ P = Q. (iii) ((P ◦ Q) ◦ R) ◦ S = P ◦ ((Q ◦ S) ◦ R). (Hint: Set up a diagram of intersecting lines as in Theorem 6.9.1 and apply Theorem 6.8.1.) 3. Let (E, +) be a group on E relative to the point O and (E, + ) be the group on E relative to the point O . The goal of this exercise is to show that (E, +) and (E, + ) are isomorphic. Let O = O ◦ O . Define a mapping ϕ : E → E by: ϕ(P) = O ◦ P. (i) Show that ϕ is bijective. (ii) Show that, for all points P, Q, (O ◦ Q) ◦ (P ◦ O ) = P + Q. (Hint: O = O ◦ O and use Exercise 2 (iv).) (iii) Show that ϕ(P) + ϕ(Q) = O ◦ ((P ◦ O ) ◦ (O ◦ Q)). (Hint: Use Exercise 2 (iv).) (iv) Show that ϕ(P) + ϕ(Q) = ϕ(P + Q). 6.10 The Arithmetic on an Elliptic Curve
We now want to make some basic observations regarding the arithmetic in the group of a nonsingular elliptic curve: E : y 2 = x 3 + ax + b, 4a 3 + 27b 2 = 0 over an algebraically closed field F , with char F = 2, 3. We have seen that such a curve has one point [0, 1, 0] “at infinity” in the projective plane. It turns out, rather surprisingly perhaps, that it simplifies some of the calculations if we choose that point at infinity as the point O. So let us set O = [0, 1, 0]. Since all the other points of E lie in F 2 , we will perform most of our calculations in F 2 and only resort to P2 (F ) when necessary. One useful consequence of the choice of O = [0, 1, 0] is the following. Lemma 6.10.1 Let the line x = c intersect E in F 2 at the points P and Q, where P and Q are not necessarily distinct. Then P + Q = O and Q = −P. Consequently, if P = (x1 , y1 ), then −P = (x1 , −y1 ). Proof. Substituting x = c into the equation for E, we obtain the quadratic equation (in y) y 2 = c 3 + ac + b which has just two roots that must correspond to P and Q. Thus, the third point of intersection of the line x = c with E within P2 (F ) is O. Now the line L joining O to O is the tangent line z = 0 so that the third point of
Elliptic Curves 459
intersection of L with E is also O (since in P2 (F ), the intersection of z = 0 and y 2 z − (x 3 + axz 2 + bz 3 ) is given by x 3 = 0, yielding a triple point of intersection at [0, 1, 0]). Thus, P +Q =O as required. To establish the final claim, let P = (x1 , y1 ) ∈ E. Then we also have Q = (x1 , −y1 ) ∈ E so that the line x = x1 meets E at the points P and Q (or a repeated point P = Q if y1 = 0). By the preceding argument, Q = −P. In the calculations below, it will again be convenient to use the familiar fractional notation ab (a ∈ F , b ∈ F ∗ ) to denote ab −1 , even though our field F may not be a subfield of C. Theorem 6.10.2 Let E : y 2 = x 3 + ax + b be an elliptic curve over an algebraically closed field F and let (E, +) be the group of E with O = [0, 1, 0], the point at infinity. Let P, Q ∈ E. Then P + Q can be described as follows: (i) If P = O or Q = O, then P + Q = Q and P + Q = P, respectively. For the remaining cases, we can assume that P, Q ∈ F 2 —say P = (x1 , y1 ), Q = (x2 , y2 ). (ii) If x1 = x2 and either y1 = y2 or y1 = y2 = 0, then P + Q = O. In the remaining cases, P + Q = R will be a point in F 2 . So let R = (x3 , y3 ). (iii) If x1
=
x2 ,
y1 = y2 = 0
x3
=
−2x1 +
y3
=
−y1 +
x3
=
−x1 − x2 +
y3
=
then $ 3x 2 + a %2 1
2y1
,
$ 3x 2 + a % 1
2y1
(x1 − x3 ).
(iv) If x1 = x2 , then $ y − y %2 2 1 x2 − x 1 $y − y % 2 1 −y1 + (x1 − x3 ) . x2 − x 1
460 Introduction to Applied Algebraic Systems
Proof. (i) This follows immediately from the fact that O is the identity element for (E, +). (iia) x1 = x2 and y1 = y2 . Then P and Q are distinct points on the line L : x = x1 (= x2 ). By Lemma 6.10.1, P + Q = O. (iib) x1 = x2 and y1 = y2 = 0. In this case, the line x = x1 (= x2 ) meets E at P = Q with multiplicity 2, and the result again follows from Lemma 6.10.1. (iii) x1 = x2 , y1 = y2 = 0. Here, P = Q and so we must first describe the tangent to E at P. Consider the intersection of the line L : x = x1 + ct , y = y1 + dt with E. Substituting L into the equation for E, we obtain (y1 + dt )2 = (x1 + ct )3 + a(x1 + ct ) + b which reduces to c 3 t 3 + t 2 (3c 2 x1 − d 2 ) + t (3cx12 + ac − 2dy1 ) = 0. Now we have the tangent when t is a double root—that is, when the coefficient of t is zero, exactly when (3x12 + a)c − 2y1 d = 0 or, since y1 = 0, d=
3x12 + a c. 2y1
Thus, L is given by x = x1 + ct ,
y = y1 +
3x12 + a ct 2y1
or, in implicit form (by eliminating t ) 3x12 + a (x − x1 ) 2y1 $ 3x 2 + a % 3x 2 + a x + y1 − 1 x1 = 1 2y1 2y1
y = y1 +
= mx + c
(6.22)
Elliptic Curves 461
where m=
3x12 + a 2y1
and
c = y1 −
3x12 + a x1 . 2y1
To find the third point of intersection, R = (x3 , y3 ) of L with E, we substitute (6.22) into the equation for E: (mx + c)2 = x 3 + ax + b or x 3 − m 2 x 2 + (a − 2mc)x + b − c 2 = 0 which will have three roots in F —namely, x1 , x1 , and x3 . Hence, x 3 − m 2 x 2 + (a − 2mc)x + b − c 2 = (x − x1 )(x − x1 )(x − x3 ). Equating the coefficients of x 2 , we obtain −m 2 = −2x1 − x3 so that x3 = m 2 − 2x1 = −2x1 +
$ 3x 2 + a %2 1
2y1
and, from (6.22), y3 = y1 +
3x12 + a (x3 − x1 ). 2y1
The line L joining O to R = (x3 , y3 ) is then x = x3 . To obtain the third point of intersection of L with E, we substitute x = x3 into the equation for E: y 2 = (x3 )3 + ax3 + b. However, (x3 , y3 ) is a point on E. Hence, (x3 )3 + ax3 + b = (y3 )2 so that we have y 2 = (y3 )2 and y = ±y3 . Thus, the third point is given by (x3 , −y3 ) and (iii) holds. (iv) x1 = x2 . The line L : (y2 − y1 )(x − x1 ) = (x2 − x1 )(y − y1 )
462 Introduction to Applied Algebraic Systems
passes through P and Q, and so is the line determined by P and Q. Let the third point of intersection of L with E be (x3 , y3 ). From the equation for L, y=
x 2 y1 − x 1 y2 y2 − y1 x+ x2 − x1 x2 − x 1
= mx + c where m=
y 2 − y1 , x2 − x1
c=
x2 y1 − x1 y2 . x2 − x 1
Substituting in the equation for E to find all the points of intersection, we obtain, as before, (mx + c)2 = x 3 + ax + b or x 3 − m 2 x + (a − 2mc)x + b − c 2 = 0. This equation will have three solutions in F , two of which are x1 and x2 , and the third will be x3 . Thus we must have x 3 − m 2 x + (a − 2mc)x + b − c 2 = (x − x1 )(x − x2 )(x − x3 ). Equating the coefficients of x 2 , we obtain −m 2 = −x1 − x2 − x3 or x3 = m 2 − x1 − x2 and, from the equation for L, we obtain y3 = mx3 + c. Now, as in part (iii), the line joining O to (x3 , y3 ) will meet E in a third point (x3 , −y3 ). Thus, x3 =
m 2 − x1 − x 2
y3 = −mx3 − c = −y1 + as claimed.
y2 − y1 (x1 − x3 ) x2 − x1
Elliptic Curves 463
The usefulness of Theorem 6.10.2 in relation to performing calculations in the group of an elliptic curve is pretty obvious. However, it has another wonderful consequence. Corollary 6.10.3 Let F1 be a subfield of an algebraically closed field F and let E : y 2 = x 3 + ax + b be an elliptic curve over E with a, b ∈ F1 . Let O = [0, 1, 0] and E(F1 ) = {(x, y) ∈ E : x, y ∈ F1 } ∪ {O}. Then (E(F1 ), +) is a subgroup of (E, +). Proof. Let P, Q ∈ E(F1 ) where P = (x1 , y1 ) and Q = (x2 , y2 ). Then x1 , x2 , y1 , y2 ∈ F1 and it follows immediately from Theorem 6.10.2 that P + Q ∈ E(F1 ). Also it follows from Lemma 6.10.1, that −P ∈ E(F1 ). Thus, (E(F1 ), +) is a subgroup. This is very nice, but for any given choice of F and F1 (for example, F = C, F1 = Q), it may be a challenge to determine whether E(F1 ) contains any element other than O. The next lemma contains some useful facts concerning elements of low order. Lemma 6.10.4 Let P = (x, y) be a point other than the identity on the elliptic curve E : y 2 = x 3 + ax + b over a field F with char(F ) = 2, 3 and let O = [0, 1, 0]. (i) P has order 2 if and only if y = 0. (ii) P has order 3 if and only if y = 0 and P + P = (x, −y). (iii) P has order 4 if and only if y = 0 and P + P = (∗, 0).
Proof. (i) We have P is of order 2 ⇔ P + P = O ⇔ P = −P ⇔ (x, y) = (x, −y) ⇔ y = −y ⇔ 2y = 0 ⇔ y = 0.
464 Introduction to Applied Algebraic Systems
(ii) We have P is of order 3 ⇔ 3P = O ⇔ P + P = −P = (x, −y). (iii) We have P is of order 4 ⇔ 4P = 0, 2P = O ⇔ P + P = −(P + P) = O ⇔ P + P = (∗, 0). After all the work that we have done, it turns out to be relatively straightforward to calculate groups on elliptic curves over small finite fields. Example 6.10.5 Let E : y 2 = x 3 + x + 4 over Z11 . Then = 4 · 1 + 27 · 42 = 436 = 7
(in Z11 ).
Therefore, E is nonsingular and (E(Z11 ), +) is a group. To find all the elements of E(Z11 ), all we have to do is calculate all the possible values of x 3 + x + 4 as x ranges over Z11 and then all the possible values for y 2 as y ranges over Z11 , and take all pairs (x, y) where these values agree and then include O, the point at infinity. x, y
x 2, y 2
x3
x3 + x + 4
0 1 2 3 4 5 6 7 8 9 10
0 1 4 9 5 3 3 5 9 4 1
0 1 8 5 9 4 7 2 6 3 10
4 6 3 1 6 2 6 2 7 5 2
We see that the values that x 3 + x + 4 and y 2 have in common are 1, 3, 4, 5. Therefore, matching pairs of values of x and y we find that E = {(0, 2), (0, 9), (2, 5), (2, 6), (3, 1), (3, 10), (9, 4), (9, 7), O}.
Elliptic Curves 465
Thus, (E, +) is an abelian group of order 9 and is therefore isomorphic to either Z9 or Z3 × Z3 . We can determine which of these groups we actually have by considering the number of elements of order 3 (Z3 × Z3 has eight such elements whereas Z9 has only two). Let P be a point on E. By Lemma 6.10.4, P is a point of order 3 if and only if P = (x, y) is such that y = 0 and P + P = (x, −y). Calculating the first coordinate of P + P according to Theorem 6.10.2 (iii), this yields −2x +
$ 3x 2 + 1 %2 2y
=x
or (3x 2 + 1)2 = 12xy 2 = 12x(x 3 + x + 4) . This simplifies (over Z11 ) to 8x 4 + 5x 2 + 7x + 1 = 0. The only roots of this equation in Z11 are 3 and 7, which, when substituted into x 3 + x + 4, yield the values 1 and 2. As y 2 = 2 has no solution in Z11 , and 12 = 102 = 1, it follows that the only candidates for points of order 3 are (3, 1) ,
(3, 10).
Consequently, (E, +) ∼ = Z9 and any point other than O, (3, 1), and (3, 10) is a generator. Exercises 6.10 1. Let E : y 2 = x 3 + ax + b be an elliptic curve. (i) Show that there are, at most, three elements in (E, +) of order 2. (ii) Show that there are, at most, eight elements in (E, +) of order 3. (iii) Show that there are, at most, 12 elements in (E, +) of order 4. 2. Use Exercises 1 (i) and 1(ii) to identify certain groups that never occur as the groups of elliptic curves. 3. Determine the group of each of the following elliptic curves over the field Z5 . Take the “base point” O to be the point at infinity. (i) y 2 = x 3 − 1. (ii) y 2 = x 3 + 1. (iii) y 2 = x 3 + x.
466 Introduction to Applied Algebraic Systems
(iv) y 2 = x 3 + 4x + 1. (v) y 2 = x 3 − x. (vi) y 2 = x 3 + x + 1. 4. Determine the group of the following elliptic curve over the field Z7 . Take the “base point” O to be the point at infinity. (i) y 2 = x 3 + 4x + 1. (ii) y 2 = x 3 + x + 4. 6.11 Results Concerning the Structure of Groups on Elliptic Curves
There is a vast amount of literature concerning groups on elliptic curves, and in this section we will list just a few of the more important general results. So, throughout, we will assume that we are dealing with an elliptic curve E : y 2 = x 3 + ax + b ,
4a 3 + 27b 2 = 0
over a field F , which will be specified in each case, and we take the base point to be O = [0, 1, 0]. Theorem 6.11.1 (L. J. Mordell, 1922) Let the elliptic curve E be defined over Q. Then the group (E(Q), +) is finitely generated and is therefore isomorphic to a group of the form Z × Z × ··· × Z × F
where the number of copies of Z is finite and F is a finite (abelian) group.
Mordell’s Theorem was subsequently (1928) extended by A. Weil to a much larger class of groups defined on curves. The number of times that Z appears as a factor is called the (Mordell-Weil) rank of (E, +). Theorem 6.11.2 (B. Mazur, 1977, 1978) Let the elliptic curve E be defined over Q. Then the subgroup of (E(Q), +) consisting of the elements of finite order is isomorphic to one of the following 15 groups: Zn , n = 1, 2, 3, . . . , 10, 12 Z2 × Z2n , n = 1, 2, 3, 4
and each of these groups does occur. The next result, from E. Lutz and T. Nagell, brings the calculation of the groups of some simple elliptic curves over Q into the realm of what is reasonably manageable even by hand calculations.
Elliptic Curves 467
Theorem 6.11.3 (Lutz-Nagell, 1937) Let the elliptic curve E be defined over Q and a, b ∈ Z. If P = (x, y) is a point on E of finite order, then x, y ∈ Z and either y = 0 or y 2 divides . The condition presented in Theorem 6.11.3 is a necessary condition for P to be of finite order, but it is not a sufficient condition. Theorem 6.11.4 (i) If the elliptic curve E is defined over R, then (E, +) is isomorphic to either where R/Z
or
(R/Z) × Z2 .
(ii) If the elliptic curve E is defined over C, then there exist α, β ∈ C such that (E, +) is isomorphic to C/α, β.
where α, β = Z α + Z β. We present just two results concerning the groups of elliptic curves over finite fields. The first result tells us that the number of points on an elliptic curve over GF(p n ) is approximately p n . Theorem 6.11.5 (H. Hasse, 1930s) Let E be an elliptic curve over GF(p n ). Then p n + 1 − 2 p n ≤ |E| ≤ p n + 1 + 2 p n . The second result identifies the group structure of an elliptic curve over GF(p n ). Theorem 6.11.6 Let E be an elliptic curve over GF(p n ). Then there exist integers n1 , n2 such that (E, +) ∼ = Zn1 × Zn2 where n2 divides n1 and p n − 1. For any abelian group G, recall (Exercise 32 in section 4.4) that we denote by Tor (G) the subgroup consisting of the elements of finite order and call it the torsion subgroup of G. It is clear that Theorem 6.11.3 is a very important tool when it comes to identifying the torsion subgroup of an elliptic curve over Q. For any elliptic curve E over Q, with a, b ∈ Z and discriminant , let LN (E) = {(x, y) ∈ E | y = 0 or y 2 divides }
468 Introduction to Applied Algebraic Systems
and call the elements of LN (E), LN elements. By Theorem 6.11.3, we know that Tor (E, +) ⊆ LN (E) ∪ {0}. In general, we do not get equality here. Nevertheless, for small values of a and b, it is a straightforward matter to determine the values of y for which y 2 divides . For each such value y = y0 , we then wish to find the roots of x 3 + ax + (b − y02 ) = 0. Since a, b − y02 ∈ Z, it follows from Proposition 2.6.7 that the integer roots must be divisors of b − y02 . This greatly simplifies the search for LN elements. Example 6.11.7 Let E : y 2 = x 3 −5x +2 over Q. Then = −4 · 53 +27 · 4 = 4(27 − 125) = −4 · 98 = −23 · 72 . Let (x, y) ∈ LN (E). Then, y = 0, ±1, ±2, ±7, ±14. Now we must see if there are any points on E with these values of the ycoordinate. (1) y = 0. We have x 3 − 5x + 2 = (x − 2)(x 2 + 2x − 1) where x 2 + 2x − 1 has no rational roots. Thus, the only integer value of x for which x 3 − 5x + 2 = 0 is x = 2. Thus, (2, 0) ∈ LN (E). (2) y = ±1. Then, x 3 − 5x + 1 = 0 has no integer solutions. (3) y = ±2. Here, 4 = x 3 − 5x + 2 ⇒ x 3 − 5x − 2 = 0 ⇒ (x + 2)(x 2 − 2x − 1) = 0 where x 2 − 2x − 1 has no integer roots. Thus, the only root of x 3 − 5x − 2 is x = −2. Hence, (−2, ±2) ∈ LN (E). (4) y = ±7. Then, 49 = x 3 − 5x + 2
Elliptic Curves 469
or x 3 − 5x − 47 = 0 has no integer solutions. (5) y = ±14. Then, 196 = x 3 − 5x + 2 or x 3 − 5x − 194 = 0 has no integer solutions. Thus, LN (E) = {(2, 0), (−2, ±2)}. Now (2, 0) is an element of order 2, so (2, 0) ∈ Tor (E, +). On the other hand, (−2, +2) + (−2, +2) has first coordinate equal to 4+
$ 12 − 5 %2 4
=4+
49 16
which is not an integer. Therefore, (−2, 2) ∈ Tor (E). Similarly, (−2, −2) ∈ Tor (E). Thus, Tor (E) = {O, (2, 0)} and Tor (E) is isomorphic to Z2 . In some examples it is necessary to calculate larger multiples of elements in LN (E) than two to see that they are not, in fact, elements of Tor (E). Example 6.11.8 Let E : y 2 = x 3 −3x +3. Then = 27. 5 and Theorem 6.11.3 indicates that the y-coordinates of torsion elements of E will be in the set y = 0, ±1, ±3. On checking, we find that LN (E) = {(1, ±1), (−2, ±1)}. Let P = (1, 1) and P + P = (x1 , y1 ). Then, x1 = −2 +
$ 3 . 1 − 3 %2
= −2 2.1 3.1 − 3 (1 + 2) = −1. y1 = −1 + 2.1
470 Introduction to Applied Algebraic Systems
Thus, P + P = (−2, −1) ∈ LN (E). Let 4P = (x2 , y2 ). Then x2 = 4 +
$ 12 − 3 %2 −2
=4+
$ 9 %2 2
so that x2 is not an integer. Hence, by Theorem 6.11.3, 4P ∈ Tor (G). Therefore, P and P + P are not elements of Tor (G) either. Similarly, (1, −1) and (−2, ±1) ∈ Tor (G). Thus we are reduced to Tor (G) = {O}. Exercises 6.11 1. Determine the torsion subgroup of the groups on each of the following elliptic curves over the rational numbers. Take the “base point” O to be the point at “infinity”. (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) (ix) (x) (xi)
y2 y2 y2 y2 y2 y2 y2 y2 y2 y2 y2
= x 3 + 1. = x 3 − 1. = x 3 + x. = x 3 − x. = x 3 + x + 1. = x 3 + x − 1. = x 3 − x + 1. = x 3 − x − 1. = x 3 + x + 2. = x 3 + 5x + 2. = x 3 + 5x − 2.
7 Further Topics Related to Elliptic Curves
In this chapter we consider several topics relating to elliptic curves. We begin with two important areas of applications: cryptography and prime factorization. The next three sections consider ideas about elliptic curves and about curves related to elliptic curves. We consider curves of the form y 2 = x 3 + ax + b that are not elliptic curves, then we look at the concept of birational equivalence in the light of which we see that elliptic curves are not as special as they might at first appear. Next we consider the genus of a curve that places elliptic curves in a hierarchy of curves. In the very last section, we consider the solutions to a well-known family of Diophantine equations. 7.1 Elliptic Curve Cryptosystems
An elliptic curve cryptosystem is a variant of the ElGamal public key cryptosystem. The components of an ElGamal cryptosystem are (1) A group G (2) An element g ∈ G (3) An integer a ∈ N (4) h = g a . Thus, the key space is K = {(G, g , a, h) | G is a finite group, g ∈ G, a ∈ N, h = g a } 471
472 Introduction to Applied Algebraic Systems
or, since h is determined by g and a, simply K = {(G, g , a) | G is a finite group, g ∈ G, a ∈ N}.
The public components of the system are G, g , h = g a while a, the key to the system, is kept secret. The message space for the ElGamal system is G so that plain text messages must first be converted into elements in G or strings of elements in G. The encrypted message space is G × G. A message x ∈ G is encrypted as follows: e1: Select a random integer b < |g |. e2: Compute y1 = g b , y2 = xh b . e3: Send the cipher text (y1 , y2 ). Thus, e(x) = (y1 , y2 ). The recipient and owner of the key then decodes the message as follows: d (e(x)) = d (y1 , y2 ) = y2 (y1a )−1 . This does indeed recover the original message, since d (e(x)) = y2 (y1a )−1 = xh b ((g b )a )−1 = xg ab (g ab )−1 = x. The security of the ElGamal cryptosystem relies entirely on the fact that the knowledge of g
and
ga
does not immediately reveal the value of the exponent a. The following problem: Given an element g in a group G and an element h ∈ g , find n ∈ N such that h = gn is known as the discrete log problem.
Further Topics Related to Elliptic Curves 473
The discrete log problem is considered to be computationally hard in general. However, in particular instances, for example, if G = Zn (see the exercises), it is known to be easy. So it is important to choose the group G, the element g , and the integer a with great care. In theory, the ElGamal public key encryption scheme can be implemented in any finite group, provided that the discrete log problem is considered to be intractable. This is thought to be the case with groups on elliptic curves. So first let us consider a literal adaptation of the ElGamal scheme to elliptic curves. The components are (1) An elliptic curve E over Zp , where p is a large prime (2) A point P ∈ E, of large order (3) An very large integer a ∈ N (4) Q = aP. The key space in this case is K = {(E, P, a, Q) | P ∈ E, Q = aP}.
The public components of the system are E, P, Q = aP. The message space consists of pairs of points on E—in other words, it is a subset of (Zp × Zp )2 . A message x ∈ E is encrypted as follows: e1: Select a random integer b less than the order of P. e2: Compute y1 = bP, y2 = x + bQ. e3: Send the cipher text (y1 , y2 ). Thus, e(x) = (y1 , y2 ). The recipient and owner of the key then decode the message as follows: d (e(x)) = d (y1 , y2 ) = y2 − ay1 . This recovers the original message, since d (e(x)) = y2 − ay1 = x + bQ − a(bP) = x + abP − abP = x.
474 Introduction to Applied Algebraic Systems
One modification of this scheme, divised by Menezes-Vanstone, using elliptic curves runs as follows. The components are (1) A large prime p (2) An elliptic curve E over Zp (3) A point P ∈ E for which the discrete log problem in P is considered intractable (4) An integer a ∈ N (5) Q = aP. The key space is K{(E, P, a, Q) | P ∈ E, Q = aP}.
The public components of the system are E, P, p, Q = aP. The difference here is that, the message space is Z∗p × Z∗p . A message x = (x1 , x2 ) ∈ Z∗p × Z∗p is encrypted as follows: e1: Select a random integer b less than the order of P. e2: Compute R = bP, bQ = (q1 , q2 ) y1 = q1 x1 mod p y2 = q2 x2 mod p. (b should be chosen to avoid the (unlikely) possibility that either q1 = 0 or q2 = 0.) e3: Send the cipher text e(x) = (R, y1 , y2 ). The recipient and owner of the key then decode the original message as follows. The first step is to determine the values of q1 and q2 with the information
Further Topics Related to Elliptic Curves 475
available. This can be done by computing aR since aR = abP = baP = bQ = (q1 , q2 ). Now the message can be decrypted by d (e(x)) = d (R, y1 , y2 ) = (y1 q1−1 mod p, y2 q2−1 mod p) = (x1 , x2 ) = x. A slight disadvantage of the ElGamal and elliptic curve cryptosystems relative to other cryptosystems is the way that they expand the original message. However, elliptic curve cryptosystems have short key lengths and, consequently, more modest memory requirements, which is an important feature for situations in which memory and processing power are limited. An important area of applications is in smart cards. In terms of security, the discrete log problem, on which the security of elliptic curve cryptography depends, is believed to be as difficult as the factorization problem for large integers (which is the basis of the security of the RSA system). Combined with the high precision arithmetic employed on elliptic curves, this makes elliptic curve cryptography a serious competitor to the RSA system. We refer the reader to [Men] for further information on this topic. Exercises 7.1 1. Let g be a generator for (Zn , +), m ∈ N and h = mg . Show how to solve for m using the Euclidean algorithm. 2. Construct the log2 table for Z∗11 , that is, for each element y of Z∗11 , solve y = 2x for x. 3. Construct the logα table for GF(9) = Z3 [y]/(1 + y 2 ), where α = 1 + y; that is, for each element y of GF(9), solve y = a x for x.
7.2 Fermat’s Last Theorem
Everyone who has studied a little Euclidean geometry is familiar with the equation x2 + y2 = z2
(7.1)
476 Introduction to Applied Algebraic Systems
as it expresses the fact that, in a right-angled triangle with sides of lengths x, y, and z where z is the length of the hypotenuse, the sum of the areas of the squares on the two shorter sides (of lengths x and y) is equal to the area of the square on the hypotenuse (Pythagoras’ Theorem). Triples [x, y, z] that are solutions to the equation (7.1) are known as Pythagorean triples. It is not difficult to find Pythagorean triples consisting of positive integers— for example, [3, 4, 5] and [5, 12, 13]. It is also easy to see that if [x, y, z] is a Pythagorean triple and if λ ∈ N, then [λx, λy, λz] is also a Pythagorean triple. Thus, equation (7.1) has infinitely many integer solutions. Indeed, equation (7.1) has infinitely many independent solutions, that is, solutions that are not multiples of each other. An algorithm for generating Pythagorean triples will be developed in the exercises. The outcome is dramatically different if we increase the exponent in equation (7.1) to consider the equations x 3 + y 3 = z 3 , x 4 + y 4 = z 4 , and so on. In the 17th century, the French mathematician P. de Fermat studied these equations and came to the conclusion that there were no integer solutions to the equations of the form xn + yn = zn
(n ≥ 3)
with x, y, z all nonzero. Fermat did not record a solution; at least, no solution has been found in his papers. However, in a copy of the translation into latin by C. G. Bachet of Diophantus’ “Arithmetica”, Fermat wrote the following words in the margin opposite Problem II.8: “I have a truly marvelous demonstration of this proposition, which this margin is too narrow to contain” (see ([Boy], page 354) and ([Sing], page 69)). As this was the last major claim remaining unresolved among the many assertions that Fermat made without providing detailed proofs, it became known as Fermat’s Last Theorem. Not until the 1990s were mathematicians able to verify Fermat’s famous claim. Elliptic curves played a critical role. The link between Fermat’s Last Theorem and elliptic curves was observed by G. Frey in 1984. Suppose that a, b, c ∈ N are such that an + bn = c n
(n ≥ 3).
(7.2)
Let A = a n , B = b n , and consider the curve E : y 2 = x(x − A)(x + B) or y 2 = x 3 + (B − A)x 2 − ABx. We will refer to this as the Frey elliptic curve. This is not in the standard form for an elliptic curve that we have been using. However, let us perform the
Further Topics Related to Elliptic Curves 477
change of variables y → y, x → x − 13 D where D = B − A. Then, $ 1 %3 1 %2 1 % x − D + D(x − D − AB x − D 3 3 3 2 3 D D x− = x 3 − Dx 2 + 3 27 3 ABD 2 D − ABx + + Dx 2 − D 2 x + 3 9 3 % $1 % $2 ABD = x 3 − D 2 + AB x + D3 + . 3 27 3
x 3 + Dx 2 − ABx −→
$
Thus, with respect to the new coordinates, our curve is E : y 2 = x 3 + px + q where p=−
$1 3
% D 2 + AB ,
q=
2 3 1 D + ABD. 27 3
In this form, E has discriminant = 4p 3 + 27q 2 1 1 = −4 D 6 + ABD 4 + A 2 B 2 D 2 + A 3 B 3 27 3 4 2D 3 ABD 1 2 2 2 6 D + 2 · + A B D + 27 272 27 3 9 = −A 2 B 2 D 2 − 4A 3 B 3 = −A 2 B 2 [D 2 + 4AB] = −A 2 B 2 [B 2 − 2BA + A 2 + 4AB] = −A 2 B 2 [A 2 + 2AB + B 2 ] = −A 2 B 2 (A + B)2 = −a 2n b 2n (a n + b n )2 = −(a 2 b 2 c 2 )n where the last step follows from (7.2). Thus we have the following Proposition. Proposition 7.2.1 If there exists a nontrivial solution to xn + yn = zn
478 Introduction to Applied Algebraic Systems
then there exists a Frey elliptic curve E such that = −t n for some integer t > 1. To indicate, very briefly, how this ties in with the ultimate proof of Fermat’s Last Theorem, we need to introduce a few concepts. Our definitions are not completely precise, but they will suffice to give you a general idea of the major stepping stones along the way. Let C+ denote the upper half of the complex plane C+ = {x + iy | y > 0}.
Now consider the following set of quotients of one linear polynomial by another in C(z): az + b | a, b, c, d ∈ Z, ab − cd = 1 . = cz + d + + Each element of determines a mapping z −→ az+b cz+d of C to C . Furthermore, each of these mappings is a permutation of C+ and together they form an infinite group of permutations (under the usual composition of permutations), which is known as the modular group. The group has many subgroups. Particularly noteworthy are the following. For any positive integer n, let az + b | a ≡ d ≡ ±1 mod n, b ≡ c ≡ 0 mod n (n) = cz + d
Then (n) is a normal subgroup of such that the quotient / (n) is finite. Any subgroup M of such that (n) ⊆ M , for some positive integer n, is called a congruence subgroup. The detailed verification of these observations concerning is left to the exercises. Next we say that a function f : C+ −→ C+ is a modular function if (i) there exist functions g , h : C+ −→ C+ that are differentiable everywhere such that f = g /h “almost everywhere" (ii) f (γ z) = f (z) for all γ ∈ . In addition, if M is a congruence subgroup and the function f : C+ −→ C+ satisfies the condition (i) above and also (ii)
M
f (γ z) = f (z) for all γ ∈ M
then we say that f is M -modular. Clearly if f is modular then it is M -modular for all congruence subgroups M . Finally, one last “modular" definition. We say that E : y 2 = x 3 + ax + b
Further Topics Related to Elliptic Curves 479
is a modular elliptic curve if, for some congruence subgroup M of , there exist nonconstant M -modular functions f and g such that x = f (t ), y = g (t ) (t ∈ C+ ) provides a parameterization of E. The proof of Fermat’s Last Theorem was then completed in the following steps. The possible link to modular curves was raised in the 1950s and 1960s, when Shimura/Taniyama conjectured that every elliptic curve with rational coefficients is modular. Frey surmised that the Frey elliptic curve, if it existed, would not be modular, and this was confirmed in 1986 by K. Ribet. Finally, in 1994, A. Wiles established that a class of elliptic curves (which would include the Frey elliptic curve, if it existed) does indeed consist of modular elliptic curves. Consequently, the Frey elliptic curve cannot exist and Fermat’s Theorem was validated. The final stages were accompanied by a high drama suitable to such a long-standing and famous assertion. The principal character, A. Wiles, secluded himself for seven years to work exclusively on this challenge and then, emerging from his seclusion, presented a series of four lectures on his solution to experts only to find that there was a gap in one of his arguments. However, with further work together with his student R. Taylor, he was able to bridge the gap and the proof was finally complete. The Shimura/Taniyama conjecture was established a few years later in its full generality. Exercises 7.2 1. Let [x, y, z] be a Pythagorean triple. Establish the following: (i) (x, y) = (x, z) = (y, z) = (x, y, z). (ii) There exists a Pythagorean triple [x1 , y1 , z1 ] such that (a)
(x1 , y1 , z1 ) = 1,
(b)
[x, y, z] = (x, y, z)[x1 , y1 , z1 ].
(When (a) holds, we say that [x1 , y1 , z1 ] is a primitive Pythagorean triple.) 2. Let [x, y, z] be a primitive Pythagorean triple. Establish the following: (i) $ z is odd. (Equivalently, x and y have opposite parity.) % z+x z−x = 1. (ii) 2 , 2 3. Let [x, y, z] be a primitive Pythagorean triple with x odd and y even. Establish the following: $ %2 y z−x · = (i) z+x 2 2 2 . (ii) There exist a, b ∈ N with z +x = a2, 2
z −x = b2, 2
a > b,
(a, b) = 1.
480 Introduction to Applied Algebraic Systems
(iii) x = a 2 − b 2 , y = 2ab, z = a 2 + b 2 . (iv) a and b have opposite parity. 4. Let a, b ∈ N be such that a > b, (a, b) = 1, and a and b have opposite parity. Let x = a2 − b2,
y = 2ab,
z = a2 + b2.
Show that [x, y, z] is a primitive Pythagorean triple. 5. Show that is a group of permutations of C+ . 6. Show that (n) is a normal subgroup of for each positive integer n. 7.3 Elliptic Curve Factoring Algorithm
There are two related problems that one can consider regarding a large odd integer n: (1) Is n a prime number? (2) Can we find a proper prime factor? It would appear that the first question is more tractable than the second, at least in the sense that there is a primality testing algorithm with a maximum running time that can be expressed as a polynomial in the number of digits in the target number. This algorithm was discovered by M. Agrawal, N. Kayal and N. Saxena [AKS] and improvements have been made to the running speed since then [LP]. The idea for the AKS algorithm begins with the simple observation that, for any integer n > 1, n is a prime number if and only if (x − a)n = x n − a in Zn [x], for all elements a in Zn . However, as an algorithm, this would require testing with a large number of values of a. Now let f (x) be a polynomial with integer coefficients and let I be the ideal in Z[x] generated by n and f (x). If n is a prime number, then it is easy to see that (x − a)n − (x n − a)is contained in I for all integers a.
(7.3)
However, the striking achievement of Agrawal, Kayal and Saxena was to show that, in the converse direction, with a suitably chosen (cyclotomic) polynomial f (x), there exists an integer K , that is relatively small compared with n, such that if (7.3) holds for every integer a between 1 and K , then Either (1) n is divisible by a prime less than K , or (2) n is a power of a prime.
Further Topics Related to Elliptic Curves 481
From this it is then possible to determine whether or not n is a prime. Turning to the second question at the beginning of this section, its importance to modern commercial transactions cannot be overestimated. Indeed, the very security of the RSA encryption scheme depends on the difficulty of the second question. However, one of the more successful algorithms for tackling the second question, developed by Lenstra, uses elliptic curves, and we will describe it here. We begin with a purely number–theoretical approach called the (p − 1) method that was developed by J. Pollard. It is based on the following result. Lemma 7.3.1 Let n be an odd integer and p be a prime number that divides α n. Let p − 1 = q1α1 · · · qk k where the qi are distinct prime numbers, αi ∈ N, and let a ∈ N be such that qiαi ≤ a, for all i. Let b ∈ [0, n − 1] be such that b ≡ 2a! mod n. (i) b ≥ 1. (ii) p divides gcd (b − 1, n). (iii) If b > 1, then gcd (b − 1, n) is a nontrivial proper divisor of n. Proof. (i) Since n is odd, it is clear that 2a! is not a multiple of n. Hence, b ≡ 0 mod n and 1 ≤ b ≤ n − 1. (ii) Since p divides n, it must also divide b − 2a! so that b ≡ 2a! mod p.
(7.4)
From the definition of a, it follows that p − 1 divides a!. So let c ∈ N be such that a! = (p − 1) c. Then, from (7.4), and Fermat’s Theorem (Theorem 1.11.3), %c $ b ≡ 2(p−1) mod p ≡ 1c mod p = 1 mod p. Thus, p divides b − 1 and (ii) follows. (iii) By the definition of b, we have that b < n. Hence, by (ii), we have p ≤ gcd (b − 1, n) < n and the claim follows.
Note that the only reason for choosing a! in the previous lemma is to ensure that p − 1 divides a!.
482 Introduction to Applied Algebraic Systems
The factoring algorithm based on Lemma 7.3.1 then proceeds as follows: (1) Guess a value of a. (2) Compute b using modular arithmetic at each step, calculating 22 mod n,
(22 )3 mod n,
(22.3 )4 mod n, . . . .
(3) Use the Euclidean algorithm to compute d = gcd (b − 1, n). (4) If d = 1, n, then d is a nontrivial proper divisor. Otherwise, repeat the algorithm with a different choice of a. At first sight it might appear that the algorithm will guarantee success. However, there are two points at which it can break down. (1) It may happen that b = 1, so that b − 1 = 0 and gcd (b − 1, n) = n. This would happen, for example, if n = pm, (p, m) = 1 and ϕ(m) divides a! (see the exercises). (2) Since the prime factors of n are unknown at the beginning of the algorithm, the choice of a is a guess. If there is no prime factor p of n for which p − 1 divides a!, then b might not be congruent to 1 mod p and so we cannot conclude that gcd (b − 1, n) is a nontrivial factor of n. In this regard, the algorithm works best if n has a prime factor p for which p − 1 has relatively small prime factors. One way to view the (p − 1) algorithm is as a clever way to search for a nonzero noninvertible element in Zn —namely, the element b −1. Once found, the gcd (b − 1, n) is then a nontrivial proper factor of n. Lenstra observed that it is possible to use elliptic curves to perform a similar kind of search. The starting point is an elliptic curve E : y 2 = x 3 + ax + b over Q with a, b ∈ Z, together with a point P = (x0 , y0 ) ∈ E where x0 , y0 ∈ Z, y0 = 0. Such pairs are fairly easy to generate: Choose a, x0 , y0 ∈ Z arbitrarily, and then set b = y03 − x03 − ax0 . Next choose an integer k with many divisors in the manner that a! was chosen in the (p − 1) method. Now compute the point kP. One way to do this in an efficient manner is to write k to the base 2 as k = a0 + a1 2 + · · · + at 2t
(ai = 0, 1)
and then successively compute at P,
2at P, at −1 P + 2at P,
2(at −1 P + 2at P), . . . .
Further Topics Related to Elliptic Curves 483
This is known as the double and add method. (See section 1.12, where the same approach to calculating large exponents was described, except that there it was called square and multiply.) The crucial feature here is that we do not perform the arithmetic in Q, but in Zn . What is particularly interesting about this method is that we are hoping that the computation breaks down in the “right” way. Consider what happens at each step. Suppose that we have computed the mth point Q without encountering any problems and that we examine the computation of the (m + 1)st point. We must perform one of the following calculations: (a) Compute 2Q. (b) Compute P + Q. Let Q = (u, v). Case (a) This case has, itself, two subcases depending on whether v = 0 or v = 0. Case (a1) v = 0. In this case the algorithm has failed and we try again with a different pair (E, P) or a different choice of k. Case (a2) v = 0. Then we try to compute the coordinates x2Q , y2Q of 2Q by the formulas (from Theorem 6.10.2) x2Q = −2u + y2Q
$ 3u 2 + a %2
2v $ 3u 2 + a % = −v + (u − x2Q ). 2v
To perform this calculation in Zn we need to be able to calculate an inverse for 2v. Since we are assuming that n is odd, this can be done if and only if (v, n) = 1. In other words, the calculation breaks down if and only if (v, n) > 1. Case (b) If P = Q, then we are back in Case (a). So suppose that P = Q. If x0 = u then the algorithm has failed and we start over. If x0 = u, then we try to compute P + Q = (xP+Q , yP+Q ) as $ v − y %2 0 u − x0 $ v − y %2 0 = −v + (x0 − xP+Q ). u − x0
xP+Q = −x0 − u + yP+Q
Again, to be able to perform this calculation, it is necessary that u − x0 be invertible in Zn —that is, that (u − x0 , n) = 1. Thus, the calculation breaks down if and only if (u − x0 , n) > 1.
484 Introduction to Applied Algebraic Systems
The algorithm is successful if the previous calculation breaks down, since then we obtain a nontrivial proper divisor of n, and either 1 < gcd (v, n) < n (in Case (a2)) or 1 < gcd (u − x0 , n) < n (in Case (b)). To see what is happening “behind the scenes”, so to speak, with this algorithm, suppose that p is a proper prime factor of n and that we have been lucky enough to choose a value of k for which the order, m say, of E as an elliptic curve over Zp divides k. Since mP = 0, over Zp , we must also have kP = 0. Imagine that, in parallel with the previous calculation for kP over Zn , we perform the “same” calculations over Zp . Since kP = 0 over Zp , there must be a first step where either
2Q = 0
or
P + Q = 0.
In the first instance, yQ = 0 (mod p) and in the second, yQ = −yP (mod p) and xQ = xP (mod p). Thus, p | yQ
or
p | (xQ − xP )
so that gcd (yQ , n) > 1 or gcd (xQ − xP , n) > 1. This corresponds exactly to the situations in which the calculations broke down in the algorithm. Thus, our objective in the choice of k is to capture the order of E as a group over Zp for some prime divisor p of n. Hasse’s Theorem can be of some help here in making suitable choices. One last point. To know that the points on E considered as an elliptic curve over Zp form a group, we need to know that E is nonsingular. So, at the very beginning, we would like to know that (4a 3 + 27b 2 , n) = 1. If we are lucky enough to choose values of a and b so that 1 < gcd (4a 3 + 27b 2 , n) < n then we are done and there is no need to proceed with the algorithm. If gcd (4a 3 + 27b 2 , n) = n, then we choose another pair (E, P). Elliptic curves can also be used to test the primality of an integer n. It is a test that is applied to integers that are thought to be prime. If successful, the test then confirms that the integer is indeed prime. For the details, see Koblitz [Kob]. Exercises 7.3 1. Let n = pm where gcd (p, m) = 1. Show that the (p − 1) method fails if p − 1 and ϕ(m) both divide a!.
Further Topics Related to Elliptic Curves 485
2. Let n be a positive integer, n > 1. Show that n is a prime number if and only if (x − a)n = x n − a in Zn [x], for all elements a in Zn . 7.4 Singular Curves of Form y 2 = x 3 + ax + b
After all the attention that we have given to nonsingular curves of the form y 2 = x 3 + ax + b, it is only natural to wonder what can be said about singular curves of the same form. As it turns out, the singularity on such a curve is its weakness and can be used to parameterize the curve by a line. So, throughout this section, let E : y 2 = x 3 + ax + b be a singular curve over an algebraically closed field F of characteristic different from 2 and 3. Then = 4a 3 + 27b 2 = 0. There are two cases to consider: Case (i) a = b = 0. Case (ii) a = 0, b = 0. In Case (i), the curve reduces to y 2 = x 3. This is easily seen to be parameterized by the equations x = t 2,
y = t3
(t ∈ F ).
We now consider Case (ii). From the proof of Theorem 6.1.1, we know that E has a singularity at the point S = (α, 0) where α=−
2a 2 3b = . 2a 9b
We also saw that in this situation 3α 2 + a = 0.
(7.5)
486 Introduction to Applied Algebraic Systems
Equipped with this information, consider an arbitrary line through S in parametric form x = α + ct y = d t. Subsituting into the equation for E we obtain d 2 t 2 = (α + ct )3 + a(α + ct ) + b = α 3 + aα + b + (3α 2 + a)ct + 3αc 2 t 2 + c 3 t 3 = t 2 (3αc 2 + c 3 t )
(by (7.5) and since S ∈ E).
Rearranging, we obtain t 2 (d 2 − 3αc 2 − c 3 t ) = 0 so that S is a double point of intersection for all lines with one exception. We have a triple point of intersection at S for any line satisfying d 2 − 3αc 2 = 0 or d 2 = 3αc 2
(7.6)
which, in general, has two solutions. Thus, every line through S, with the exception of the two lines satisfying (7.6), will meet E in a unique third point. So consider the line Lt through S and the point (0, t ): y −t 0−t = α−0 x −0 or y = α −1 (α − x) t .
(7.7)
Now we know that x = α must be a repeated root of x 3 + ax + b (since ∂ 3 ∂x (x + ax + b) = 0 when x = α), so to find the third root β, we can write x 3 + ax + b = (x − α)2 (x − β). Equating the coefficients of x 2 , we find −2α − β = 0
or
β = −2α.
Further Topics Related to Elliptic Curves 487
Thus, x 3 + ax + b = (x − α)2 (x + 2α). Substituting (7.7) into E, we obtain α −2 (α − x)2 t 2 = (x − α)2 (x + 2α) or (x − α)2 (x + 2α − α −2 t 2 ) = 0. Thus, the third point of intersection of Lt with E is given by x = −2α + α −2 t 2
(7.8)
which, substituted into (7.7), yields y = α −1 (3α − α −2 t 2 ) t = 3t − α −3 t 3 .
(7.9)
From (7.6) we know that the lines with slope m = dc where m 2 = 3α have a triple point of intersection with E at S. Now the slope of the line in (7.7) is −α −1 t , so that this corresponds to − α −1 t = m or t = −m α. Both the possible values of t , when subsituted into (7.8) and (7.9), yield the point S. Thus, if we retain one value—say, t = mα—but reject the other, then the equations (7.8) and (7.9) provide a parameterization of E in terms of the line x = 0 with the point (0, −mα) deleted. This provides a complete description of E. If P is a singular point on E, then every line through P has intersection multiplicity at P of at least two. Hence it is not possible to define P + Q, for any point Q on E, in the manner of section 6.9 for elliptic curves. So we cannot construct a group on E as we did in the elliptic case. However, if we just consider the nonsingular points on E, then it is possible to introduce a group structure based on the geometry of the curve. Over Q, depending on the nature of the singularity, one obtains either the additive group of rational
488 Introduction to Applied Algebraic Systems
numbers (Q, +) or the multiplicative group of nonzero rational numbers (Q∗ , ·). Either way, the group is infinite and not finitely generated. For details of these constructions, see Silverman and Tate ([ST], III.7). Exercises 7.4 1. Let the curve f (x, y) = 0 be given by the parametric equations (7.8) and (7.9). Show that this is a singular curve of the form y 2 = x 3 + ax + b. 2. Show that a singular curve of the form y 2 = x 3 + ax + b has just one singular point.
7.5 Birational Equivalence
Following our consideration of conics and cubics in sections 6.6, 6.7, and 6.8, it might appear that we focused our attention on a very special class of cubics—namely, the elliptic curves. However, as we will see in this section, elliptic curves really represent a much larger class of curves. Let f (x1 , . . . , xn ), g = (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ]. Then the curves C1 : f (x1 , . . . , xn ) = 0
and
C2 : g (x1 , . . . , xn ) = 0
are said to be birationally equivalent if there exist αi (x1 , . . . , xn ), βi (x1 , . . . , xn ), γi (x1 , . . . , xn ), δi (x1 , . . . , xn ) ∈ F [x1 , . . . , xn ] for 1 ≤ i ≤ n, such that (1) for all P = (a1 , . . . , an ) ∈ C1 (with the possible exception of a finite number of points) the point with coordinates xi =
αi (a1 , . . . , an ) βi (a1 , . . . , an )
(1 ≤ i ≤ n)
is a point on C2 , and all but, at most, a finite number of points on C2 are obtained in this way; (2) for all points Q = (b1 , . . . , bn ) ∈ C2 (with the possible exception of a finite number of points) the point with coordinates xi =
γi (b1 , . . . , bn ) δi (b1 , . . . , bn )
(1 ≤ i ≤ n)
is a point on C1 and all but, at most, a finite number of points on C1 are obtained in this way. Roughly speaking, birationally equivalent curves can be thought of as parameterizing each other. As we have seen in earlier sections (and will see in the
Further Topics Related to Elliptic Curves 489
following exercises) the degrees of such curves can be quite different. Intuitively, birationally equivalent curves should have similar properties. We are now able to indicate the central role of elliptic curves in the study of cubics. By a rational point we will mean a point with coordinates in Q. Let f (x, y) ∈ Q[x, y] be a cubic polynomial such that the curve C : f (x, y) = 0 is nonsingular and has a rational point. We will show, modulo a few assumptions to simplify the calculations, that the curve f (x, y) = 0 is birationally equivalent to a curve of the form D : y 2 = x 3 + ax + b. Basically, we will assume, without comment, that any divisor that appears in the calculation is, indeed, nonzero. Let P be a rational point on C. Since C is nonsingular, there exists a tangent line L at P = (x0 , y0 ). Consider L as given in parameterized form x = x0 + ct y = y0 + dt . If we substitute these values into f (x, y), we will obtain a cubic polynomial f (x0 + ct , y0 + dt ) = f1 (t ) in t . Then L meets C exactly where f1 (t ) = 0. Since L is a tangent to C at t = 0, we know that t must be a double root so that f1 (t ) = t 2 f2 (t ) where f2 (t ) is linear. If we solve f2 (t ) = 0, we find a second (third, if counting multiplicities) point of intersection of L with C. Call this point Q. Since the coordinates of P are rational and the coefficients of f (x, y) are rational, it follows that the coefficients of L are rational. Hence, the coefficients of f1 (t ) are rational and therefore those of f2 (t ) are rational. Consequently, the second value of t is rational and finally we see that the coordinates of Q are also rational. We can now perform a simple change of variables to make Q the origin with respect to the new variables. If Q is the point (q1 , q2 ), then this is equivalent to working with the polynomial g (x, y) = f (x − q1 , y − q2 ) instead of f (x, y). However, f (x, y) and g (x, y) are clearly birationally equivalent. So there is no loss in simply assuming that Q is the origin to start with and that f (0, 0) = 0. This means that the constant term in f (x, y) is zero. Now consider any line y = tx through the origin (Q). This meets C where f (x, tx) = 0. Since there is no constant term in f (x, y), it follows that every term in f (x, y) is divisible by either x or y and, therefore, that every term in f (x, tx) is divisible
490 Introduction to Applied Algebraic Systems
by x. Hence, f (x, tx) = xf ∗ (x, t ) where the highest power of x in f ∗ (x, t ) is at most 2 and the highest power of t is at most 3. However, t 3 can only occur if there is a term ky 3 in f (x, y). This would contribute a term kt 3 x 3 to f (x, tx) and a term kt 3 x 2 to f ∗ (x, t ). Thus we can write f ∗ (x, t ) = A(t )x 2 + B(t )x + C(t ) where A(t ) is a polynomial in t of degree, at most, 3. Similar arguments show that B(t ) is a polynomial in t of degree, at most, 2 and C(t ) is a polynomial in t of degree, at most, 1. Now every point on C, other than Q, must lie on the intersection of C with some line y = tx and so is a solution to f ∗ (x, t ) = A(t )x 2 + B(t )x + C(t ) = 0
(7.10)
for some value of t . Conversely, any solution to (7.10) will determine a point on C. Therefore, (7.10) gives an alternative polynomial description of C, except for the point Q. Let y = t0 x correspond to the line PQ. Since PQ is the tangent at the point P, it follows that x0 is a double zero of f (x, t0 x). Now suppose that, in addition, P = Q = (0, 0), then we have a triple point at P so that x0 = 0 is a triple root of f (x, t0 x) = xf ∗ (x, t0 ) = x(A(t0 )x 2 + B(t0 )x + C(t0 )) which implies that f (x, t0 x) = x 3 A(t0 ). However, this can only happen if f (x, y) is homogeneous of degree 3, which would imply that f (x, y) has a singularity at (0, 0), contradicting our assumption that f (x, y) is nonsingular. Hence, we may assume that P = Q and that x0 = 0. However, 0 = f (x0 , t0 x0 ) = x0 f ∗ (x0 , t0 ) = x0 (A(t0 )x02 + B(t0 )x0 + C(t0 )) where x0 = 0, yet x0 is a double root (since PQ is the tangent at P). So we can deduce that x0 is a double root of the quadratic equation A(t0 )x 2 + B(t0 )x + C(t0 ) = 0. For that to happen, we must have B(t0 )2 − 4A(t0 )C(t0 ) = 0.
(7.11)
Further Topics Related to Elliptic Curves 491
For any point on C, as given by (7.10), $
%2 1 1 A(t )x + B(t ) = A(t )2 x 2 + A(t )B(t )x + B(t )2 2 4 1 = A(t )[A(t )x 2 + B(t )x] + B(t )2 4 1 = A(t )[−C(t )] + B(t )2 by (7.10) 4 1 = (B(t )2 − 4A(t )C(t )). (7.12) 4
Now make the change of variable 1 t = t0 + . z
(7.13)
Then the constant term (relative to 1/z) in (A(t )x + 12 B(t ))2 will, from (7.12), be 1 (B(t0 )2 − 4A(t0 )C(t0 )) 4 which is just zero, by (7.11). Hence, since B(t ) is a quadratic in t and C(t ) is linear in t , $ 1 %2 1% $ 1 %% 1$ $ B t0 + − 4A t0 + C t0 + 4 z z z 1 1 1 1 = c4 4 + c3 3 + c2 2 + c1 (for some ci ∈ Q) z z z z 1 = 4 (c4 + c3 z + c2 z 2 + c1 z 3 ) z 1 = 4 D(z) z where D(z) is a polynomial in z of degree, at most, 3 with coefficients in Q. By Section 5.8, there exists a substitution z = αX + β,
X=
1 (z − β) α
for which D(z) = D(αX + β) = X 3 + aX + b.
(7.14)
492 Introduction to Applied Algebraic Systems
Now set % $ 1 Y = A(t )x + B(t ) (αX + β)2 . 2
(7.15)
Then, from (7.12) and (7.13), we obtain 2 A(t )x + 12 B(t ) (αX + β)4 Y2 = (αX + β)4 (αX + β)4 2 1 = A(t )x + B(t ) 2 1 = (B(t )2 − 4A(t )C(t )) 4 ) 1 1 2 1 1 = B t0 + C t0 + − 4A t0 + 4 z z z 1 D(z) z4 1 = · (X 3 + aX + b) (αX + β)4 =
from which it follows that D : Y 2 = X 3 + aX + b a cubic curve of the desired form. The final task is to make it a bit more transparent that the curves C and D really are birationally equivalent. First, from (7.13), (7.14), and y = tx, we have % 1$ 1 1 (z − β) = −β α α t − t0 $ % 1 1 = −β α y/x − t0
X=
a rational expression in x and y; and from (7.15), it follows that Y is also a rational expression in x and y. Moreover, the whole argument leading to the definitions of X and Y shows that whenever (x, y) is a point on C, then (X , Y ) will be a point on D.
Further Topics Related to Elliptic Curves 493
On the other hand, from (7.13) and (7.14), 1 1 = t0 + z αX + β t0 αX + (t0 β + 1) = αX + β
t = t0 +
(7.16)
whereas from (7.15) x=
1 A(t )
1 Y − B(t ) . (αX + β)2 2
(7.17)
Combining (7.16) and (7.17), we obtain x as a rational expression in X and Y . Combining (7.16) and (7.17), with y = tx, we also obtain y as a rational combination of X and Y . We leave it as an exercise for you to show that if (X , Y ) is a point on the curve D, then (x, y), where x and y are defined as noted earlier, is a point on C. It can also be shown that D is, in general, nonsingular, but this lies beyond the scope of this discussion. Exercises 7.5 1. Show that the mappings θ : (x, 0) −→ (x 4 , x 3 ) $ y3 % ϕ : (x, y) −→ 2 , 0 x establish the birational equivalence of the curves C1 : y = 0,
C2 : y 4 − x 3 = 0
over R. 2. Show that the mappings θ : (x, 0) −→ (x 5 , x 2 ) $x % ϕ : (x, y) −→ 2 , 0 y establish the birational equivalence of the curves C1 : y = 0,
C2 : y 5 − x 2 = 0.
494 Introduction to Applied Algebraic Systems
7.6 The Genus of a Curve
Associated with every curve is a nonnegative integer called its genus. This is a very important invariant in the analysis of curves. There are various possible definitions of the genus, some of which are topological in nature. We begin with a result that puts a bound on the number of singularities that certain curves can have. Proposition 7.6.1 Let C be an irreducible curve of degree n over an algebraically closed field F and let C have m singularities. Then m≤
(n − 1)(n − 2) . 2
Proof. We argue by contradiction. Suppose that m>
(n − 1)(n − 2) . 2
Clearly, lines are nonsingular and it is left as an exercise to show that irreducible conics are nonsingular. So we may assume that n ≥ 3. By hypothesis, C has + 1 singularities—say, P1 , P2 , . . . , P (n−1)(n−2) +1 . Choose (at least) (n−1)(n−2) 2 2 an additional n − 3 points on C to obtain P1 , . . . , Pk−1 points all told where we define k by the equation k −1=
(n − 1)(n − 2) +1+n−3 2
so that k= = = = =
(n − 1)(n − 2) +1+n−2 2 n 2 − 3n + 2 + 2 + 2n − 4 2 n2 − n 2 (n − 1)n 2 ((n − 2) + 1)((n − 2) + 2) . 2
Further Topics Related to Elliptic Curves 495
Hence, by Theorem 6.5.3, there exists a curve, D say, of degree n − 2 that passes through the points P1 , . . . , Pk−1 . Since C is irreducible and deg (D) = n − 2 < n = deg (C), it follows that C and D have no components in common. Consequently, by Bézout’s Theorem, C and D have n(n−2) points of intersection, counting multiplicities. However, the multiplicity of intersection between two curves at a singular point on one of the curves is at least two. Hence, counting multiplicities, the number of points of intersection of C and D is at least (n − 1)(n − 2) +1 +n−3 2× 2 = n 2 − 3n + 2 + 2 + n − 3 = n 2 − 2n + 1 > n 2 − 2n which contradicts Bézout’s Theorem. Therefore, the result follows.
For any irreducible curve C of degree n with m singularities, all of which are double points, we define g (C) =
(n − 1)(n − 2) − m. 2
By Proposition 7.6.1, g (C) is a nonnegative integer. The next result spells out the key invariance property of g (C). Theorem 7.6.2 Let C be an irreducible curve that is birationally equivalent to two irreducible curves C1 and C2 , each of which is such that all of its singularities are double points. Then g (C1 ) = g (C2 ). This result makes the following definition possible. Let C be an irreducible curve that is birationally equivalent to an irreducible curve D, all of whose singularities are double points. Then the genus of C is g (D). Of course, if all the singularities of C are double points, then we can take D = C. Example 7.6.3 For any line L or irreducible (= nondegenerate) conic C, g (L) = 0 = g (C). Example 7.6.4 For any elliptic curve E, g (E) = 1.
496 Introduction to Applied Algebraic Systems
We close with some interesting facts concerning the classification of curves by their genus that highlight the special position of elliptic curves. (1) Every curve of genus 0 is birationally equivalent to either a line or a conic. (2) Any curve of genus 1 over Q with a rational point is birationally equivalent to a nonsingular cubic (and therefore an elliptic curve). (3) If a curve over Q with genus 0 has one rational point then it has infinitely many rational points. (4) There exist curves over Q with genus 1 that have finitely many rational points and there exist curves over Q with genus 1 that have infinitely many rational points. (5) Any curve over Q with genus greater than 1 has only finitely many rational points. Exercises 7.6 1. Let E : y 2 = x 3 + ax + b be such that a and b are nonzero and = 0. Show that g (E) = 0. 2. Let Cn : x n + y n = a n over C (n ≥ 3, a = 0). Show that . g (Cn ) = (n−1)(n−2) 2 7.7 Pell’s Equation
In the previous chapter we saw how the points on an elliptic curve can be endowed with a natural group structure. The study of the algebraic structure of curves sits squarely in the area of algebraic geometry and there is a vast amount of information available in the many texts on the subject. In conclusion, we present one more well-known example of a different character and of ancient origins, where the set of points on a curve permits a very natural group structure. When we consider equations of the form f (x1 , . . . , xn ) = 0, where f ∈ Z[x1 , . . . , xn ] and are interested in finding integer solutions, it is customary to refer to the equations as Diophantine equations. As the name might suggest, such equations have been studied ever since the days of ancient Greece. The organized study of the integer solutions of such equations belongs in the domain of number theory. It will suit our purposes here to consider just one example—namely, equations of the form x 2 − dy 2 = 1 where d is a positive integer and not a square. A simple example would be x 2 − 5y 2 = 1. This has a solution x = 9, y = 4, for instance, but has many, indeed infinitely many, solutions. Part of the interest in equations of this form derived from the fact that, as the values of the solutions x, y increase, the ratios x/y provide better and better approximations to the square root of d. For example, the solutions (x, y) = (9, 4), (161, 72), (682, 305) provide the following
Further Topics Related to Elliptic Curves 497
approximations to
√
5: (9, 4) −→ 2.25 (161, 72) −→ 2.236111 (682, 305) −→ 2.236065574 √ 5 = 2.236067978 . . . .
Equations of this sort were of interest to Archimedes, who posed a famous problem known as the cattle problem, which was not solved until the 18th century. These equations were also of interest to Indian mathematicians, and solutions to the equations for values of d = 2, 3 were known to ancient Greek and Indian mathematicians. Brahmagupta found a general method to solve such equations in the seventh century. A similar solution was found by Brouncker in the 17th century. So it was something of an accident that Euler happened to call such an equation Pell’s equation and the name has stuck ever since. To prove that Pell’s equation does have nontrivial integer solutions (that is, different from x = ±1, y = 0) for all values of d would be too much of a digression for us at this point. So we refer you to [L], [McCo] or [NZ] for a proof of that fact and more details of the history of the equation. We will assume that nontrivial integer solutions do exist. Since each solution consists of a pair of values, one for x and one for y, we will refer to the solutions as ordered pairs (x, y) such that x 2 − dy 2 = 1. Note that there is no solution with x = 0 and that if (x, y) is a solution to Pell’s equation, then so also are (±x, ±y). Turning this around, we have that the set of integer solutions is S = {(±x, ±y) | x 2 − dy 2 = 1, x > 0, y ≥ 0}. We call any solution (x, y) with x, y > 0 a positive solution. Before proceeding to a description of the positive solutions, we need to consider the following subset of R: For a positive integer d, not a perfect square, let √ √ Q( d ) = {a + b d | a, b ∈ Q}. √ √ It is a simple exercise to show that Q( d ) is a field. In fact, Q( d ) is just a more intuitive way of describing the field Q[z]/(z 2 − d).
√ Since ± d are the two roots of x 2 − d, it follows that the mapping √ √ ϕ : a + b d −→ a − b d √ is an automorphism of Q( d ).
(a, b ∈ Q)
498 Introduction to Applied Algebraic Systems
Lemma 7.7.1 Let (a, b) be a positive solution for which a is the smallest possible value (in N). Then (i) b is also the smallest possible value in√N for all positive solutions (ii) if (x, y) is a solution with 1 < x + y d, then (x, y) is a positive solution and √ √ x + y d ≥ a + b d. Proof. (i) Let (x, y) be any positive solution with x, y ∈ N. By the choice of (a, b) we have x ≥ a. Also, x 2 − dy 2 = 1 = a 2 − db 2 so that d (y 2 − b 2 ) = x 2 − a 2 ≥ 0. Hence, y 2 ≥ b 2 and y ≥ b. (ii) We have √ √ (x + y d )(x − y d ) = x 2 − dy 2 = 1 √ so that we also have x − y d > 0 and √ √ x − y d = (x + y d )−1 < 1. Hence, √ 1 = (x + y d ) + 2 √ √ 1 y d = (x + y d ) − 2 x
√ 1 (x − y d ) ≥ 2 √ 1 (x − y d ) > 2
1 +0 >0 2 1 1 − = 0. 2 2
Therefore, (x, y) is a positive solution. It now follows from part (i) that x ≥ a and y ≥ b. Therefore, √ √ x + y d ≥ a + b d.
In light of Lemma 7.7.1 (i), it seems reasonable to refer to the solution (a, b) as the smallest positive solution.
Further Topics Related to Elliptic Curves 499
Theorem 7.7.2 Let d be a positive integer and not a perfect square. Let (a, b) be the smallest positive solution to x 2 − dy 2 = 1. Then √ √ P = {(an , bn ) | (a + b d )n = an + bn d } is the set of all positive solutions. (Note that (a1 , b1 ) = (a, b).) √ Proof. Applying the automorphism ϕ of Q( d), introduced earlier in this section, to √ √ an + bn d = (a + b d )n we obtain √ √ an − bn d = (a − b d )n . Hence, √ √ an2 − dbn2 = (an + bn d )(an − bn d ) √ √ = (a + b d )n (a − b d )n = (a 2 − b 2 d )n = 1. Thus, every element of P is a solution. Now let (x, y) be any positive solution and suppose that (x, y) ∈ P. Since a, b, d, x, y ∈ N, it follows that there must exist an integer n with √ √ √ (a + b d )n ≤ x + y d < (a + b d )n+1 . √ √ √ √ However, (a + b d )n = an + bn d so that (a + b d )n = x + y d would imply that (x, y) = (an , bn ) ∈ P, which would be a contradiction. Hence we must have √ √ √ (a + b d )n < x + y d < (a + b d )n+1 . √ Multiplying by (a − b d )n (which we know must be positive) we obtain √ √ 1 = (a 2 − d b 2 )n = (a + b d )n (a − b d )n √ √ < (x + y d )(a − b d )n √ √ √ < (a + b d )n+1 (a − b d )n = (a + b d )(a 2 − d b 2 )n √ = a + b d.
500 Introduction to Applied Algebraic Systems
√ √ √ Let (x +y d )(a −b d )n = p +q d. Applying the automorphism ϕ, we get √ √ √ p − q d = (x − y d)(a + b d)n so that √ √ p 2 − dq 2 = (p + q d )(p − q d ) √ √ √ = (p + q d )(x − y d )(a + b d )n √ √ √ √ = (x + y d )(x − y d )(a − b d )n (a + b d )n = (x 2 − dy 2 )(a 2 − db 2 )n = 1. Thus, (p, q) is a solution with √ √ 1 < p+q d < a+b d which contradicts Lemma 7.7.1 (ii). Therefore, (x, y) ∈ P and P is the set of all positive solutions. It is evident from the previous arguments that there is a strong connection between the solutions to Pell’s equation and the numbers of the form √ x + y d. Let √ G = {x + y d | x 2 − dy 2 = 1}. Then the mapping √ θ : (x, y) → x + y d is a bijection of S (the set of solutions to x 2 − dy 2 ) to G. This makes the following observation especially interesting. √ Lemma 7.7.3 (G, · ) is a subgroup of (Q( d ), · ). Proof. Exercise.
With the help of the bijection θ, we can now pull the group structure of G back to S by defining (x1 , x2 ) ∗ (y1 , y2 ) = θ −1 (θ (x1 , x2 ) · θ (y1 , y2 )) √ √ = θ −1 ((x1 + x2 d )(y1 + y2 d ))
Further Topics Related to Elliptic Curves 501
√ = θ −1 (x1 y1 + x2 y2 d + (x1 y2 + x2 y1 ) d ) = (x1 y1 + x2 y2 d, x1 y2 + x2 y1 ). In this way, we endow S with a natural, although not very obvious, group structure. As we will now see, the structure of G is fairly simple. Theorem 7.7.4 G ∼ = Z2 × Z. Proof. First recall that 1, −1 ∈ G trivially since 1 = 12 − d · 02 = (−1)2 − d · 02 √ √ so that 1 = 1 + 0 · d, −1 = −1 + 0 · d ∈ G. Let H = {1, −1}. Clearly, H 2 2 is a subgroup of √ G. Let (a, b) be the smallest positive solution for x −dy = 1, let α = a + b d, and let K = α = {α n | n ∈ Z}. Then K is also a subgroup of G and, since G is abelian, H and K are both normal subgroups of G. Clearly, H ∩ K = {1}. To show that G is the (internal) direct product√of H and K , it only remains to show that G = HK . Let x + y d ∈ G. We only consider the case where x < 0, with the case where x > 0 being similar. Then, √ √ x + y d = (−1)(−x − y d ) where −x > 0. Case (i) −y > 0. Then (−x, −y) is √ a positive solution and so, by Theorem 7.7.2, there exists n ∈ N with −x − y d = α n . Therefore, √ √ x + y d = (−1)(−x − y d ) = (−1)α n ∈ HK . Case (ii) −y < 0. Then, √ √ (−x − y d )(−x + y d ) = x 2 − dy 2 = 1 so that √ √ −x − y d = (−x + y d )−1 where (−x, y) is a positive solution. By Theorem 7.7.2, there exists n ∈ N with √ −x + y d = α n .
502 Introduction to Applied Algebraic Systems
Therefore, √ √ x + y d = (−1)(−x − y d ) √ = (−1)(−x + y d )−1 = (−1)α −n ∈ HK . √ Thus, in all cases, x + y d ∈ HK . Hence, G is the (internal) direct product of H and K . Consequently, G∼ = H × K. However, it is clear that H is cyclic of order 2 whereas K is an infinite cyclic group. Hence, H ∼ = Z. Therefore, G ∼ = Z2 × Z, as claimed. = Z2 and K ∼ Corollary 7.7.5 S ∼ = Z2 × Z. Exercises 7.7 1. Let (a, b) ∈ N × N be a positive solution to the equation x 2 − dy 2 = 1 (d ∈ N) for which b is the smallest possible value (in N). Show that a is also the smallest possible positive value for any solution. 2. Show that (9, 4) is the smallest positive solution to the equation x 2 − 5y 2 = 1.
References
[AKS] Agrawal, M., N. Kayal and N. Saxena. “Primes is in P,” Annals of Mathematics, 160,(2004), 7817–93. [Bon] Boneh, D. “Twenty Years of Attacks on the RSA Cryptosystem,” Notices of the American Mathametical Society, 46 (1999), 203–12. [Boy] Boyer, C. B. A History of Mathematics (2nd Edition), John Wiley & Sons, New York, 1991. [BC] Brown, J. W. and R. V. Churchill, Complex Variables and Applications, McGraw Hill, New York, 2004. [CLO] Cox, D., J. Little, and D. O’Shea. Ideals, Varieties and Algorithms, Springer-Verlag, New York, 1992. [CLRS] Cormen, T. H., C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algorithms, Second Edition, MIT Press and McGraw-Hill, 2001. [Dau] Dauben, J. “Review of ‘The Universal History of Numbers and The Universal History of Computing, Volumes I and II’ by Georges Ifrah,” Notices of the American Mathematical Society, 49 (2002), 32–38, 211–216. [Di] Dickson, L. E. History of the Theory of Numbers, Volume II, Chelsea Publishing Co., New York, 1966, 575–78. [Ful] Fulton, W. Algebraic Curves—An Introduction to Algebraic Geometry, Addison-Wesley, New York, 1989. [HW] Herstein, I. N. and D. J. Winter. Matrix Theory and Linear Algebra, Macmillan Publishing Co, New York, 1988. [Hod] Hodges, A. Alan Turing: The Enigma, Vintage, London, 1992. [Hul] Hulek, K. C. B. Elementary Algebraic Geometry, American Mathematical Society, Providence, 2003. [Kob] Koblitz, N. A Course in Number Theory and Cryptography, Springer, New York, 1994. 503
504 References
[L] [LP]
[McCa] [McCo] [Mil]
[Men] [Nav] [Nel] [Neu] [Nic] [NZ] [Pal] [Rej] [Pat] [RSA]
[Sing] [ST] [Ste] [Sti] [Van] [Var] [W] [Zel]
Lenstra, H. W., Jr. “Solving the Pell Equation,” Notices of the American Mathematical Society, 49 (2002), 182–92. Lenstra, H. W. Jr. and C. Pomerance. “Primality Testing with Gaussian Periods,” http://www.math.dartmouth.edu/∼carlp/PDF/complexity12.pdf, preliminary version, 2005. McCarthy, P. J. Algebraic Extensions of Fields, Blaisdell, Waltham, Massachusetts, 1966. McCoy, N. H. The Theory of Numbers, Collier-McMillan, London, 1965. Miller, R. A. “The Cryptographic Mathematics of Enigma,” http://www.nsa. gov/about/cryptologic_heritage/center_crypt_history/publications/wwii. shtml, 2001. Menezes, A. J. Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, Boston, 1993. Navarro, G. “On the Fundamental Theorem of Finite Abelian Groups,” American Mathematical Monthly, February (2003), 153–154. Nelson, B. Punched Cards to Bar Codes, Helmers Publishing. Peterborough, NH, 1997. Neuman, P. M. “A Lemma that is not Burnside’s,” Math. Scientist, New York, 1979 (4), 1331–41. Nicholson, W. K. Elementary Linear Algebra, McGraw-Hill Ryerson, New York, 2001. Niven, I., and H. S. Zuckerman. An Introduction to the Theory of Numbers, John Wiley, New York, 1960. Palmer, R. C. The Bar Code Book, Trafford Publishing, Victoria, BC, 2007. Rejewski, M. “How Polish Mathematicians Deciphered the Enigma,” Annals of the History of Computing 3, 1981, 2132–33. Patterson, W. Mathematical Cryptology for Computer Scientists and Mathematicians, Rowman & Littlefield, New York 1987. Rivest, R. L., A. Shamir, and L. Adleman. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, 21 (1978), 120–26. Singh, S. and K. Ribet. Fermat’s Last Stand, Scientific American, Munn & Co., New York, November 1997, 68–73. Silverman, J., and J. Tate. Rational Points on Elliptic Curves, Springer-Verlag, New York, 1992. Stepanov, S. A. Arithmetic of Algebraic Curves, Monographs in Contemporary Mathematics, Consultants Bureau, New York, 1994. Stinson, D. R. Cryptography Theory and Practice, CRC Press, New York, 1995. Vanstone, S. A., and R. C. van Oorschot. An Introduction to Error Correcting Codes with Applications, Kluwer Academic Publishers, Boston, 1992. Varsanyi, G. Assignments for Vibrational Spectra of Seven Hundred Benzene Derivatives, J.Wiley & Sons, New York, 1974. Wells, D. The Penguin Book of Curious and Interesting Puzzles, Penguin Books, London U.K. 1992. Zelinsky, D. A First Course in Linear Algebra, Academic Press, New York, 1968.
Index
N, 5 N0 , 5 Nn , 5 Q, 5 R, 5 Z, 5 Zn , 37
An , 215 C(α), 155 CIG (x1 , x2 , . . . , xn ), 255 CIα (x1 , x2 , . . . , xn ), 255 CIg (x) , 173 Dn , 188 Dn (F ), 212 F (α), 241 F [x]/f (x), 123 GLn (F ), 209 Ig (x) , 173 Mn (R), 81 O(x), 228 On (F ), 212 Pn (F ), 209 Q8 , 198 R[x], 102 R ∗ , 83 S(x), 234 SLn (F ), 212 SOn (F ), 212 SUTn (F ), 212 SX , 200 Sn , 200 UTn (F ), 212 Z (G), 195 [x]n , 34 C, 6
∼ =, 265 a, 194 det(A), 207 ≡n , 33 A, 195, 333 a1 , . . . , am , 333 d(C), 170 d(a, b), 170 g1 ∗ g2 , 364 mα (x), 152 xi degree, 356 Tor, 292 2-cycle, 202
Abelian, 182 Absolute value, 6 Affine variety, 369 Algebraic, 152 Alternating subgroup, 215 Arithmetic progression, 16 505
506 Index
Associative law, 11 Automorphism, 90, 331 Bar codes, 51 Base Point, 453 Base subfield, 92 Basis, 96 BCH code, 178 Bézout’s Theorem, 430 Bijection, 8 Bijective, 8 Binary operation, 38 Buchberger’s Algorithm, 364 Burnside’s Lemma, 243 Cancellation law, 48 Cardinality, 5 Carmichael numbers, 66 Cartesian product, 7 Cauchy’s Theorem, 301 Cayley table, 186 Cayley’s Theorem, 217 Center (of ring), 93 Central series, 315 Centralizer, 295 Center, 195 Characteristic, 87 Check digit, 51 Check vector, 51 Class (of nilpotent group), 315 Class equation, 296 Code, 169, 170 Coloring (k-), 250 Common difference, 16 Commutative (group), 182 Commutator, 309 Commutator subgroup, 309 Compatible order, 352 Composite, 10 Congruence relation, 38 Congruent, 33 Conic, 427 Conjugacy class, 292 Conjugate elements, 292 Conjugate roots, 155 Conjugate subgroups, 292 Conjugates, 292 Constant (polynomial), 102 Constant polynomial, 339 Coset, 221 Cubic, 427 Cycle index (of a group), 255
Cycle index (of an element), 255 Cycle pattern, 254 Cyclic (code), 173 Cyclic (sub)group, 194 Decomposable, 281 Decryption exponent, 71 Degree, 102, 340 Dependent, 96 Derived subgroup, 309 Determinant, 207 Dimension, 96 Diophantine Equation, 42 Direct product (of sets), 7 Direct product of groups (external), 188 Discrete Log Problem, 472 Discriminant, 404 Disjoint, 203 Division Algorithm for integers, 19 Division Algorithm for Polynomials, 103 Divisor, 105, 342 Domain, 8 Double and add method, 483 Double cosets, 302 Double point, 398 Edges, 225 Eisenstein’s criterion, 120 ElGamal, 471 Elliptic curve, 403 Elliptic curve cryptosystem, 471 Empty set, 4 Encryption exponent, 71 Endomorphism, 331 Epimorphism, 265, 331 Equivalence, 32 Equivalence class, 34 Essentially different, 230 Euclidean Algorithm for integers, 20 Euclidean Algorithm for Polynomials, 105 Euler’s function, 61 Euler’s Theorem, 64 Even permutation, 213 Exponentiation by Squaring, 74 Extended Euclidean Algorithm, 22 Extension field, 130 Factor, 105 Fermat numbers, 31 Fermat’s Last Theorem, 476 Fermat’s Theorem, 65
Index 507
Fibonacci sequence, 18 Field, 80 field of quotients, 341 Finitely generated ideal, 333 First Homomorphism Theorem for Rings, 335 Fixed, 241 Fixed set, 241 Formal derivative, 122 Frey elliptic curve, 476 Frobenius automorphism., 206 Function, 8 Fundamental region, 274 Fundamental Theorem for Finite Abelian Groups, 286 Fundamental Theorem of Arithmetic, 27 G-equivalent, 252 Generator (of F ∗ ), 141 Generators (of a group), 187 Genus, 495 Geometric progression, 17 Graph, 225 Greatest common divisor, 20 Greatest common divisor (polynomials), 105 Groebner basis, 361 Group, 181 Group of rotational symmetries, 188 Group of Symmetries, 238 Hamming distance, 170 Hilbert’s Basis Theorem, 362 Hilbert’s Nullstellensatz, 377 Homogeneous polynomial, 408 Homogenization, 410 Homomorphic image, 265 Homomorphism, 195, 331 Ideal, 139, 332 Ideal generated by A, 333 Ideal of V , 368 Idempotent, 13 Identity (of Zn ), 40 Identity (of group), 183 Identity (of ring), 80 Identity function, 11 Image, 8 Implicitization, 391 Indecomposable, 281 Independent, 96
Index, 33 Index (of a subgroup), 224 Induction (Principle), 15 Induction hypothesis, 15 Induction step, 15 Injection, 8 Injective, 8 Integers modulo n, 37 Integral domain, 83 Internal direct product, 280 International Standard Book Number (ISBN), 51 Interpolation, 113 Inverse, 83 Inverse (Zn ), 46 Inverse (functions), 12 Inverse (in a group), 183 Invertible (Zn ), 46 Invertible in a ring, 83 Irreducible, 116, 342, 372 Isomorphism, 90, 331 Isomorphism (groups), 195 Kernel, 267, 332 Klein 4-group, 191 Lagrange Interpolation, 113 Lagrange polynomials, 116 Lagrange’s Theorem, 223 Latin Square, 48 Leading coefficient, 102, 353 Leading monomial, 353 Leading term, 353 Least common monomial multiple, 363 Least common multiple, 24 Left ideal, 338 Length (of series), 315 Lexicographic ordering, 352 Line, 427 Linear (code), 172 Linear (polynomial), 102 LN-elements, 468 M-modular, 478 Mapping, 8 Membership problem, 350 Mersenne primes, 31 Minimal polynomial, 152 Modified chain rule, 399 Modular arithmetic, 40 Modular elliptic curve, 479
508 Index
Modular function, 478 Modular group, 478 Modular Law, 273 Monic, 102 Monoid, 182 Monomial, 340 Monomial Order, 352 Monomial term, 340 Monomorphism, 265, 331 Multiplicity of C at P, 398 Multiplicity of the intersection, 395 n-cycle, 202 n-dimensional projective space, 414 Natural (homomorphism), 271 Natural homomorphism, 335 Newton Interpolation, 113 Nilpotent element, 338 Nilpotent group, 315 Nonsingular, 399 Normal (subgroup), 268 Normalizer, 295 Odd permutation, 213 One-to-one, 9 Orbit, 228 Orbit/stabilizer theorem, 235 Order of a field element, 140 Order of a group element, 185 Order of an element of Zn , 67 Oriented colouring, 230 Orthogonal (Latin Square), 50 p-group, 284 Parameterization, 389 Parameters, 384 Parametric equations, 385 Parametric solution, 383 Parametrized, 389 Parity, 213 Partial derivative, 399 Partition, 33 Permutation, 200 Points at Infinity, 416 polar coordinates, 6 Polynomial, 100 Polynomial parametrization, 389 Prime factorization, 29 Prime ideal, 389 Prime number, 26 Prime subfield, 92
Primitive element, 141 Principal ideal, 333 Principal ideal domain, 333 Product rule, 399 Projective Line, 417 Projective plane, 414 Proper (subset), 5 Proper subgroup, 193 Public key, 71 Pythagorean triples, 476 Quadratic residue, 44 Quaternion group, 198 Quotient, 271 Range, 8 Rational point, 489 Reducible, 116, 342, 372 Reed-Solomon code, 178 Reflexive, 32 Regular polyhedra, 239 Relation, 32 Relations (between group generators), 187 Right ideal, 338 Ring (commutative), 80 Ring of polynomials, 102 Root, 44 Rotational symmetry, 188 Scalar, 95 Semidirect product, 283 Semigroup, 182 Set, 3 Simple group, 314 Singular, 399 Solution of the congruence, 44 Solvable, 312 Span, 96 Stabilizer, 234 Subfield, 88 Subgroup, 193 Subgroup generated by A, 195 Subring, 88 Subset, 5 Subspace, 96 Surjection, 8 Surjective, 8 Sylow p-subgroup, 301 Sylow’s First Theorem, 300 Sylow’s Second Theorem, 302
Index 509
Sylow’s Third Theorem, 305 Symmetric, 32 Tangent, 398 Torsion subgroup, 292 Total order, 352 Transitive, 32 Transitive group, 230 Transposition, 202 Trap door functions, 70 Trivial subgroup, 193 Unit, 83 Unit (Zn ), 46 Universal Product Code (U.P.C.), 51
Vandermonde matrix, 345 Vector space, 95 Vertices, 225
Well Ordered, 352 Well-ordering axiom, 7 Wilson’s Theorem, 49
Zero, 44 Zero (of Zn ), 40 Zero (of ring), 80 Zero divisor, 47 Zero divisors (of ring), 83 Zero of the congruence, 44